Class: Msf::Exploit::SQLi::Common

Inherits:

Object

• Object
• Msf::Exploit::SQLi::Common

Includes:

Module::UI

Defined in:

lib/msf/core/exploit/sqli/common.rb

Direct Known Subclasses

Mssqli::Common, MySQLi::Common, PostgreSQLi::Common, SQLitei::Common

Instance Attribute Summary

• #concat_separator ⇒ Object

  Returns the value of attribute concat_separator.

• #datastore ⇒ Object readonly

  Returns the value of attribute datastore.

• #framework ⇒ Object readonly

  Returns the value of attribute framework.

• #null_replacement ⇒ Object

  Returns the value of attribute null_replacement.

• #safe ⇒ Object

  Returns the value of attribute safe.

• #second_concat_separator ⇒ Object

  Returns the value of attribute second_concat_separator.

• #truncation_length ⇒ Object

  Returns the value of attribute truncation_length.

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Instance Method Summary

• #initialize(datastore, framework, user_output, opts = {}, &query_proc) ⇒ Common constructor

  Creates an instance of an SQL Injection object, users should use the create_dbms method of Msf::Exploit::SQLi instead.

• #raw_run_sql(query) ⇒ Object

  Queries the block with the given SQL query, without necessarily returning a result (needed for example when uploading a file using a time-based SQL injection, as it’s not necessary to run multiple queries for that purpose), not to be overridden, it is guaranteed that the query will run only once.

• #run_sql(query) ⇒ Object

  Queries the block with the given SQL query, and returns the result, this method is overridden in blind SQL injection classes, implementing the logic of leaking one bit at a time, and working exactly the same as this method.

Methods included from Module::UI

#init_ui

Methods included from Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Module::UI::Line

#print_line, #print_line_prefix

Methods included from Module::UI::Line::Verbose

#vprint_line

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Constructor Details

#initialize(datastore, framework, user_output, opts = {}, &query_proc) ⇒ Common

Creates an instance of an SQL Injection object, users should use the create_dbms method of Msf::Exploit::SQLi instead

@param datastore [DataStore]
@param framework [Framework]
@param user_output [Rex::Ui::Text::Output::Stdio] 
@param opts [Hash] a dictionary containing the parameters needed
@option opts [Integer] truncation_length :  [Optional] The number of characters returned, if the query result is truncated
@option opts [String] concat_separator : [Optional] The separator to use when concatenating rows (default ',')
@option opts [String] second_concat_separator : [Optional] The separator to use when concatenating columns (default ';')
@option opts [Boolean] safe : don't use group_concat, safer for large tables if group_concat truncates the result, but more queries will be performed
@option opts [String] null_replacement : a string that will replace NULL values
@option opts [Boolean] hex_encode_strings : encode strings as hex numbers, no quotes in the payload
@option opts [Object] an encoder name, or a hash specifying a custom encoder, see Encoders in DBMS-specific classes
@param query_proc [Proc] a block that will receive the payload, and should send the request to the target,
- if it's a regular SQL injection, it should return the part of the response that is the query result (one row)
- if it's a boolean-based blind SQL injection, it should return `true`, `false`, or a value that evaluates to one of them
`true` if the query returned a result, false otherwise
- if it's a time-based blind SQL injection, the return value does not matter, the time the block takes to run is used to leak information.

Raises:

• (ArgumentError)

# File 'lib/msf/core/exploit/sqli/common.rb', line 26

def initialize(datastore, framework, user_output, opts = {}, &query_proc)
  raise ArgumentError, 'Missing the block that does the requests' unless block_given?
  raise ArgumentError, 'Positional arguments can\'t be nil' if [datastore, framework, user_output].any?(&:nil?)

  check_opts(opts)
  @query_proc = query_proc
  @safe = opts[:safe]
  @concat_separator = opts[:concat_separator]
  @second_concat_separator = opts[:second_concat_separator] || ';'
  @null_replacement = opts[:null_replacement] || ''
  @truncation_length = opts[:truncation_length] if opts[:truncation_length] && opts[:truncation_length].is_a?(Integer) && opts[:truncation_length] > 0
  @hex_encode_strings = opts[:hex_encode_strings]
  @encoder = opts[:encoder]
  @datastore = datastore
  @framework = framework
  @user_output = user_output
end

Instance Attribute Details

#concat_separator ⇒ Object

Returns the value of attribute concat_separator.

# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def concat_separator
  @concat_separator
end

#datastore ⇒ Object (readonly)

Returns the value of attribute datastore.

# File 'lib/msf/core/exploit/sqli/common.rb', line 72

def datastore
  @datastore
end

#framework ⇒ Object (readonly)

Returns the value of attribute framework.

# File 'lib/msf/core/exploit/sqli/common.rb', line 72

def framework
  @framework
end

#null_replacement ⇒ Object

Returns the value of attribute null_replacement.

# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def null_replacement
  @null_replacement
end

#safe ⇒ Object

Returns the value of attribute safe.

# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def safe
  @safe
end

#second_concat_separator ⇒ Object

Returns the value of attribute second_concat_separator.

# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def second_concat_separator
  @second_concat_separator
end

#truncation_length ⇒ Object

Returns the value of attribute truncation_length.

# File 'lib/msf/core/exploit/sqli/common.rb', line 73

def truncation_length
  @truncation_length
end

Instance Method Details

#raw_run_sql(query) ⇒ Object

Queries the block with the given SQL query, without necessarily returning a result (needed for

example when uploading a file using a time-based SQL injection, as it's not necessary to
run multiple queries for that purpose), not to be overridden, it is guaranteed that the query
will run only once.
@param query [String] The SQL query to execute
@return [void]

# File 'lib/msf/core/exploit/sqli/common.rb', line 52

def raw_run_sql(query)
  vprint_status "{SQLi} Executing (#{query})"
  if @hex_encode_strings
    query = hex_encode_strings(query)
    vprint_status "{SQLi} Encoded to (#{query})"
  end
  @query_proc.call(query)
end

#run_sql(query) ⇒ Object

Queries the block with the given SQL query, and returns the result, this method is overridden in

blind SQL injection classes, implementing the logic of leaking one bit at a time, and working 
exactly the same as this method.
@param query [String] The SQL query to execute
@return [String] The query results

# File 'lib/msf/core/exploit/sqli/common.rb', line 68

def run_sql(query)
  raw_run_sql(query)
end