Class: Msf::Exploit::SQLi::Common

Inherits:
Object
  • Object
show all
Includes:
Module::UI
Defined in:
lib/msf/core/exploit/sqli/common.rb

Instance Attribute Summary collapse

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Instance Method Summary collapse

Methods included from Module::UI

#init_ui

Methods included from Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Module::UI::Line

#print_line, #print_line_prefix

Methods included from Module::UI::Line::Verbose

#vprint_line

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Constructor Details

#initialize(datastore, framework, user_output, opts = {}, &query_proc) ⇒ Common

Creates an instance of an SQL Injection object, users should use the create_dbms method of Msf::Exploit::SQLi instead

@param datastore [DataStore]
@param framework [Framework]
@param user_output [Rex::Ui::Text::Output::Stdio] 
@param opts [Hash] a dictionary containing the parameters needed
@option opts [Integer] truncation_length :  [Optional] The number of characters returned, if the query result is truncated
@option opts [String] concat_separator : [Optional] The separator to use when concatenating rows (default ',')
@option opts [String] second_concat_separator : [Optional] The separator to use when concatenating columns (default ';')
@option opts [Boolean] safe : don't use group_concat, safer for large tables if group_concat truncates the result, but more queries will be performed
@option opts [String] null_replacement : a string that will replace NULL values
@option opts [Boolean] hex_encode_strings : encode strings as hex numbers, no quotes in the payload
@option opts [Object] an encoder name, or a hash specifying a custom encoder, see Encoders in DBMS-specific classes
@param query_proc [Proc] a block that will receive the payload, and should send the request to the target,
- if it's a regular SQL injection, it should return the part of the response that is the query result (one row)
- if it's a boolean-based blind SQL injection, it should return `true`, `false`, or a value that evaluates to one of them
`true` if the query returned a result, false otherwise
- if it's a time-based blind SQL injection, the return value does not matter, the time the block takes to run is used to leak information.

Raises:

  • (ArgumentError)


26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/msf/core/exploit/sqli/common.rb', line 26

def initialize(datastore, framework, user_output, opts = {}, &query_proc)
  raise ArgumentError, 'Missing the block that does the requests' unless block_given?
  raise ArgumentError, 'Positional arguments can\'t be nil' if [datastore, framework, user_output].any?(&:nil?)

  check_opts(opts)
  @query_proc = query_proc
  @safe = opts[:safe]
  @concat_separator = opts[:concat_separator]
  @second_concat_separator = opts[:second_concat_separator] || ';'
  @null_replacement = opts[:null_replacement] || ''
  @truncation_length = opts[:truncation_length] if opts[:truncation_length] && opts[:truncation_length].is_a?(Integer) && opts[:truncation_length] > 0
  @hex_encode_strings = opts[:hex_encode_strings]
  @encoder = opts[:encoder]
  @datastore = datastore
  @framework = framework
  @user_output = user_output
end

Instance Attribute Details

#concat_separatorObject

Returns the value of attribute concat_separator.



73
74
75
# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def concat_separator
  @concat_separator
end

#datastoreObject (readonly)

Returns the value of attribute datastore.



72
73
74
# File 'lib/msf/core/exploit/sqli/common.rb', line 72

def datastore
  @datastore
end

#frameworkObject (readonly)

Returns the value of attribute framework.



72
73
74
# File 'lib/msf/core/exploit/sqli/common.rb', line 72

def framework
  @framework
end

#null_replacementObject

Returns the value of attribute null_replacement.



73
74
75
# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def null_replacement
  @null_replacement
end

#safeObject

Returns the value of attribute safe.



73
74
75
# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def safe
  @safe
end

#second_concat_separatorObject

Returns the value of attribute second_concat_separator.



73
74
75
# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def second_concat_separator
  @second_concat_separator
end

#truncation_lengthObject

Returns the value of attribute truncation_length.



73
74
75
# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def truncation_length
  @truncation_length
end

Instance Method Details

#raw_run_sql(query) ⇒ Object

Queries the block with the given SQL query, without necessarily returning a result (needed for

example when uploading a file using a time-based SQL injection, as it's not necessary to
run multiple queries for that purpose), not to be overridden, it is guaranteed that the query
will run only once.
@param query [String] The SQL query to execute
@return [void]


52
53
54
55
56
57
58
59
# File 'lib/msf/core/exploit/sqli/common.rb', line 52

def raw_run_sql(query)
  vprint_status "{SQLi} Executing (#{query})"
  if @hex_encode_strings
    query = hex_encode_strings(query)
    vprint_status "{SQLi} Encoded to (#{query})"
  end
  @query_proc.call(query)
end

#run_sql(query) ⇒ Object

Queries the block with the given SQL query, and returns the result, this method is overridden in

blind SQL injection classes, implementing the logic of leaking one bit at a time, and working 
exactly the same as this method.
@param query [String] The SQL query to execute
@return [String] The query results


68
69
70
# File 'lib/msf/core/exploit/sqli/common.rb', line 68

def run_sql(query)
  raw_run_sql(query)
end