Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit aeb83ba

Browse files
stamparmstamparm
committed
Merge pull request #475 from Meatballs1/hsql_clean
HSQL Payloads and Query Support
2 parents a1842f4 + eb2012c commit aeb83ba

17 files changed

Lines changed: 764 additions & 10 deletions

File tree

lib/controller/handler.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
from lib.core.settings import MAXDB_ALIASES
2121
from lib.core.settings import SYBASE_ALIASES
2222
from lib.core.settings import DB2_ALIASES
23+
from lib.core.settings import HSQL_ALIASES
2324
from lib.utils.sqlalchemy import SQLAlchemy
2425

2526
from plugins.dbms.mssqlserver import MSSQLServerMap
@@ -42,6 +43,8 @@
4243
from plugins.dbms.sybase.connector import Connector as SybaseConn
4344
from plugins.dbms.db2 import DB2Map
4445
from plugins.dbms.db2.connector import Connector as DB2Conn
46+
from plugins.dbms.hsql import HSQLMap
47+
from plugins.dbms.hsql.connector import Connector as HSQLConn
4548

4649
def setHandler():
4750
"""
@@ -60,6 +63,7 @@ def setHandler():
6063
(DBMS.MAXDB, MAXDB_ALIASES, MaxDBMap, MaxDBConn),
6164
(DBMS.SYBASE, SYBASE_ALIASES, SybaseMap, SybaseConn),
6265
(DBMS.DB2, DB2_ALIASES, DB2Map, DB2Conn),
66+
(DBMS.HSQL, HSQL_ALIASES, HSQLMap, HSQLConn),
6367
]
6468

6569
_ = max(_ if (Backend.getIdentifiedDbms() or "").lower() in _[1] else None for _ in items)

lib/core/agent.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -525,7 +525,7 @@ def concatQuery(self, query, unpack=True):
525525
else:
526526
return query
527527

528-
if Backend.isDbms(DBMS.MYSQL):
528+
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.HSQL):
529529
if fieldsExists:
530530
concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1)
531531
concatenatedQuery += ",'%s')" % kb.chars.stop

lib/core/common.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3448,7 +3448,11 @@ def _(value):
34483448
retVal = retVal.decode("utf-16-le")
34493449
except UnicodeDecodeError:
34503450
pass
3451-
3451+
elif Backend.isDbms(DBMS.HSQL):
3452+
try:
3453+
retVal = retVal.decode("utf-16-be")
3454+
except UnicodeDecodeError:
3455+
pass
34523456
if not isinstance(retVal, unicode):
34533457
retVal = getUnicode(retVal, "utf8")
34543458

lib/core/dicts.py

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
from lib.core.settings import MAXDB_ALIASES
2121
from lib.core.settings import SYBASE_ALIASES
2222
from lib.core.settings import DB2_ALIASES
23+
from lib.core.settings import HSQL_ALIASES
2324

2425
FIREBIRD_TYPES = {
2526
"261": "BLOB",
@@ -137,6 +138,7 @@
137138
DBMS.MAXDB: (MAXDB_ALIASES, None, None, "maxdb"),
138139
DBMS.SYBASE: (SYBASE_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/", "sybase"),
139140
DBMS.DB2: (DB2_ALIASES, "python ibm-db", "http://code.google.com/p/ibm-db/", "ibm_db_sa"),
141+
DBMS.HSQL: (HSQL_ALIASES, "python jaydebeapi", "https://pypi.python.org/pypi/JayDeBeApi/", "hsql"),
140142
}
141143

142144
FROM_DUMMY_TABLE = {
@@ -145,6 +147,7 @@
145147
DBMS.FIREBIRD: " FROM RDB$DATABASE",
146148
DBMS.MAXDB: " FROM VERSIONS",
147149
DBMS.DB2: " FROM SYSIBM.SYSDUMMY1",
150+
DBMS.HSQL: " FROM INFORMATION_SCHEMA.SYSTEM_USERS"
148151
}
149152

150153
SQL_STATEMENTS = {
@@ -186,7 +189,9 @@
186189

187190
"SQL data execution": (
188191
"exec ",
189-
"execute ", ),
192+
"execute ",
193+
"values ",
194+
"call ", ),
190195

191196
"SQL transaction": (
192197
"start transaction ",

lib/core/enums.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ class DBMS:
3333
PGSQL = "PostgreSQL"
3434
SQLITE = "SQLite"
3535
SYBASE = "Sybase"
36+
HSQL = "HyperSQL"
3637

3738
class DBMS_DIRECTORY_NAME:
3839
ACCESS = "access"
@@ -45,6 +46,7 @@ class DBMS_DIRECTORY_NAME:
4546
PGSQL = "postgresql"
4647
SQLITE = "sqlite"
4748
SYBASE = "sybase"
49+
HSQL = "hsql"
4850

4951
class CUSTOM_LOGGING:
5052
PAYLOAD = 9

lib/core/settings.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -163,6 +163,7 @@
163163
SYBASE_SYSTEM_DBS = ("master", "model", "sybsystemdb", "sybsystemprocs")
164164
DB2_SYSTEM_DBS = ("NULLID", "SQLJ", "SYSCAT", "SYSFUN", "SYSIBM", "SYSIBMADM", "SYSIBMINTERNAL", "SYSIBMTS",\
165165
"SYSPROC", "SYSPUBLIC", "SYSSTAT", "SYSTOOLS")
166+
HSQL_SYSTEM_DBS = ("INFORMATION_SCHEMA", "SYSTEM_LOB")
166167

167168
MSSQL_ALIASES = ("microsoft sql server", "mssqlserver", "mssql", "ms")
168169
MYSQL_ALIASES = ("mysql", "my")
@@ -174,10 +175,11 @@
174175
MAXDB_ALIASES = ("maxdb", "sap maxdb", "sap db")
175176
SYBASE_ALIASES = ("sybase", "sybase sql server")
176177
DB2_ALIASES = ("db2", "ibm db2", "ibmdb2")
178+
HSQL_ALIASES = ("hsql", "hsqldb", "hs", "hypersql")
177179

178180
DBMS_DIRECTORY_DICT = dict((getattr(DBMS, _), getattr(DBMS_DIRECTORY_NAME, _)) for _ in dir(DBMS) if not _.startswith("_"))
179181

180-
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES
182+
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES + HSQL_ALIASES
181183
SUPPORTED_OS = ("linux", "windows")
182184

183185
USER_AGENT_ALIASES = ("ua", "useragent", "user-agent")

plugins/dbms/hsql/__init__.py

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
#!/usr/bin/env python
2+
3+
"""
4+
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
5+
See the file 'doc/COPYING' for copying permission
6+
"""
7+
8+
from lib.core.enums import DBMS
9+
from lib.core.settings import HSQL_SYSTEM_DBS
10+
from lib.core.unescaper import unescaper
11+
from plugins.dbms.hsql.enumeration import Enumeration
12+
from plugins.dbms.hsql.filesystem import Filesystem
13+
from plugins.dbms.hsql.fingerprint import Fingerprint
14+
from plugins.dbms.hsql.syntax import Syntax
15+
from plugins.dbms.hsql.takeover import Takeover
16+
from plugins.generic.misc import Miscellaneous
17+
18+
class HSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover):
19+
"""
20+
This class defines MySQL methods
21+
"""
22+
23+
def __init__(self):
24+
self.excludeDbsList = HSQL_SYSTEM_DBS
25+
self.sysUdfs = {
26+
# UDF name: UDF return data-type
27+
"sys_exec": { "return": "int" },
28+
"sys_eval": { "return": "string" },
29+
"sys_bineval": { "return": "int" }
30+
}
31+
32+
Syntax.__init__(self)
33+
Fingerprint.__init__(self)
34+
Enumeration.__init__(self)
35+
Filesystem.__init__(self)
36+
Miscellaneous.__init__(self)
37+
Takeover.__init__(self)
38+
39+
unescaper[DBMS.HSQL] = Syntax.escape

plugins/dbms/hsql/connector.py

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
#!/usr/bin/env python
2+
3+
"""
4+
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
5+
See the file 'doc/COPYING' for copying permission
6+
"""
7+
8+
try:
9+
from thirdparty import jaydebeapi
10+
import jpype
11+
except ImportError, msg:
12+
pass
13+
14+
import logging
15+
16+
from lib.core.data import conf
17+
from lib.core.data import logger
18+
from lib.core.exception import SqlmapConnectionException
19+
from plugins.generic.connector import Connector as GenericConnector
20+
21+
class Connector(GenericConnector):
22+
"""
23+
Homepage: http://jpype.sourceforge.net/
24+
User guide: http://jpype.sourceforge.net/doc/user-guide/userguide.html
25+
API: http://code.google.com/p/pymysql/
26+
Debian package: <none>
27+
License: Apache License V2.0
28+
"""
29+
30+
def __init__(self):
31+
GenericConnector.__init__(self)
32+
33+
def connect(self):
34+
self.initConnection()
35+
try:
36+
jar = './thirdparty/hsql/hsqldb.jar'
37+
args='-Djava.class.path=%s' % jar
38+
jvm_path = jpype.getDefaultJVMPath()
39+
jpype.startJVM(jvm_path, args)
40+
except (Exception), msg: #todo fix with specific error
41+
raise SqlmapConnectionException(msg[0])
42+
try:
43+
driver = 'org.hsqldb.jdbc.JDBCDriver'
44+
connection_string = 'jdbc:hsqldb:mem:.' #'jdbc:hsqldb:hsql://%s/%s' % (self.hostname, self.db)
45+
self.connector = jaydebeapi.connect(driver,
46+
connection_string,
47+
str(self.user),
48+
str(self.password))
49+
except (Exception), msg: #todo what kind of error is this?!
50+
raise SqlmapConnectionException(msg[0])
51+
52+
self.initCursor()
53+
self.printConnected()
54+
55+
def fetchall(self):
56+
try:
57+
return self.cursor.fetchall()
58+
except (Exception), msg:
59+
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
60+
return None
61+
62+
def execute(self, query):
63+
retVal = False
64+
65+
try:
66+
self.cursor.execute(query)
67+
retVal = True
68+
except (Exception), msg: #todo fix with specific error
69+
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
70+
except Exception, msg: #todo fix with specific error
71+
raise SqlmapConnectionException(msg[1])
72+
73+
self.connector.commit()
74+
75+
return retVal
76+
77+
def select(self, query):
78+
retVal = None
79+
80+
upper_query = query.upper()
81+
82+
if query and not (upper_query.startswith("SELECT ") or upper_query.startswith("VALUES ")):
83+
query = "VALUES %s" % query
84+
85+
if query and upper_query.startswith("SELECT ") and " FROM " not in upper_query:
86+
query = "%s FROM (VALUES(0))" % query
87+
88+
self.cursor.execute(query)
89+
retVal = self.cursor.fetchall()
90+
91+
return retVal

plugins/dbms/hsql/enumeration.py

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
#!/usr/bin/env python
2+
3+
"""
4+
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
5+
See the file 'doc/COPYING' for copying permission
6+
"""
7+
8+
from plugins.generic.enumeration import Enumeration as GenericEnumeration
9+
from lib.core.data import conf
10+
from lib.core.data import kb
11+
from lib.core.data import logger
12+
from lib.core.data import queries
13+
from lib.core.common import Backend
14+
from lib.core.common import unArrayizeValue
15+
from lib.request import inject
16+
from lib.parse.banner import bannerParser
17+
18+
class Enumeration(GenericEnumeration):
19+
def __init__(self):
20+
GenericEnumeration.__init__(self)
21+
22+
def getBanner(self):
23+
if not conf.getBanner:
24+
return
25+
26+
if kb.data.banner is None:
27+
infoMsg = "fetching banner"
28+
logger.info(infoMsg)
29+
30+
query = queries[Backend.getIdentifiedDbms()].banner.query
31+
kb.data.banner = unArrayizeValue(inject.getValue(query, safeCharEncode=True))
32+
33+
return kb.data.banner

plugins/dbms/hsql/filesystem.py

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
#!/usr/bin/env python
2+
3+
"""
4+
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
5+
See the file 'doc/COPYING' for copying permission
6+
"""
7+
8+
from lib.core.exception import SqlmapUnsupportedFeatureException
9+
from plugins.generic.filesystem import Filesystem as GenericFilesystem
10+
11+
class Filesystem(GenericFilesystem):
12+
def __init__(self):
13+
GenericFilesystem.__init__(self)
14+
15+
def readFile(self, rFile):
16+
errMsg = "Not implemented in HSQL"
17+
raise SqlmapUnsupportedFeatureException(errMsg)
18+
19+
def writeFile(self, wFile, dFile, fileType=None, forceCheck=False):
20+
errMsg = "Not implemented in HSQL"
21+
raise SqlmapUnsupportedFeatureException(errMsg)

0 commit comments

Comments
 (0)