ronin-code-sql 2.0.0.beta1 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/ruby.yml +15 -0
- data/.rubocop.yml +13 -0
- data/.yardopts +1 -1
- data/ChangeLog.md +10 -1
- data/Gemfile +4 -0
- data/README.md +26 -16
- data/Rakefile +1 -0
- data/gemspec.yml +3 -3
- data/lib/ronin/code/sql/binary_expr.rb +35 -2
- data/lib/ronin/code/sql/clause.rb +19 -8
- data/lib/ronin/code/sql/clauses.rb +17 -15
- data/lib/ronin/code/sql/emittable.rb +9 -2
- data/lib/ronin/code/sql/emitter.rb +65 -26
- data/lib/ronin/code/sql/field.rb +31 -6
- data/lib/ronin/code/sql/fields.rb +1 -1
- data/lib/ronin/code/sql/function.rb +15 -4
- data/lib/ronin/code/sql/functions.rb +3 -15
- data/lib/ronin/code/sql/injection.rb +4 -4
- data/lib/ronin/code/sql/injection_expr.rb +1 -1
- data/lib/ronin/code/sql/literal.rb +17 -2
- data/lib/ronin/code/sql/literals.rb +1 -1
- data/lib/ronin/code/sql/mixin.rb +95 -0
- data/lib/ronin/code/sql/operators.rb +1 -1
- data/lib/ronin/code/sql/statement.rb +14 -3
- data/lib/ronin/code/sql/statement_list.rb +1 -1
- data/lib/ronin/code/sql/statements.rb +1 -1
- data/lib/ronin/code/sql/unary_expr.rb +24 -2
- data/lib/ronin/code/sql/version.rb +3 -3
- data/lib/ronin/code/sql.rb +5 -64
- data/lib/ronin/code/sqli.rb +30 -0
- data/ronin-code-sql.gemspec +5 -5
- metadata +10 -51
- data/spec/spec_helper.rb +0 -3
- data/spec/sql/binary_expr_examples.rb +0 -25
- data/spec/sql/binary_expr_spec.rb +0 -5
- data/spec/sql/clause_examples.rb +0 -43
- data/spec/sql/clause_spec.rb +0 -31
- data/spec/sql/clauses_spec.rb +0 -47
- data/spec/sql/emittable_spec.rb +0 -41
- data/spec/sql/emitter_spec.rb +0 -533
- data/spec/sql/field_spec.rb +0 -103
- data/spec/sql/fields_spec.rb +0 -40
- data/spec/sql/function_examples.rb +0 -30
- data/spec/sql/function_spec.rb +0 -25
- data/spec/sql/functions_spec.rb +0 -113
- data/spec/sql/injection_expr_spec.rb +0 -98
- data/spec/sql/injection_spec.rb +0 -172
- data/spec/sql/literal_spec.rb +0 -5
- data/spec/sql/literals_spec.rb +0 -46
- data/spec/sql/operators_spec.rb +0 -44
- data/spec/sql/statement_examples.rb +0 -39
- data/spec/sql/statement_list_spec.rb +0 -48
- data/spec/sql/statement_spec.rb +0 -38
- data/spec/sql/statements_spec.rb +0 -22
- data/spec/sql/unary_expr_examples.rb +0 -20
- data/spec/sql/unary_expr_spec.rb +0 -5
- data/spec/sql_spec.rb +0 -18
data/lib/ronin/code/sql/field.rb
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -29,22 +29,33 @@ module Ronin
|
|
29
29
|
#
|
30
30
|
# @api semipublic
|
31
31
|
#
|
32
|
-
class Field
|
32
|
+
class Field
|
33
33
|
|
34
34
|
include Operators
|
35
35
|
include Emittable
|
36
36
|
|
37
|
+
# The name of the field.
|
38
|
+
#
|
39
|
+
# @return [String]
|
40
|
+
attr_reader :name
|
41
|
+
|
42
|
+
# The parent of the field name.
|
43
|
+
#
|
44
|
+
# @return [Field, nil]
|
45
|
+
attr_reader :parent
|
46
|
+
|
37
47
|
#
|
38
48
|
# Initializes the new field.
|
39
49
|
#
|
40
50
|
# @param [String] name
|
41
51
|
# The name of the field.
|
42
52
|
#
|
43
|
-
# @param [Field] parent
|
53
|
+
# @param [Field, nil] parent
|
44
54
|
# The parent of the field.
|
45
55
|
#
|
46
56
|
def initialize(name,parent=nil)
|
47
|
-
|
57
|
+
@name = name.to_s
|
58
|
+
@parent = parent
|
48
59
|
end
|
49
60
|
|
50
61
|
#
|
@@ -59,13 +70,27 @@ module Ronin
|
|
59
70
|
names = name.to_s.split('.',3)
|
60
71
|
field = nil
|
61
72
|
|
62
|
-
names.each { |
|
73
|
+
names.each { |keyword| field = new(keyword,field) }
|
63
74
|
|
64
75
|
return field
|
65
76
|
end
|
66
77
|
|
67
78
|
alias to_str to_s
|
68
79
|
|
80
|
+
#
|
81
|
+
# Determines if the field responds to the given method.
|
82
|
+
#
|
83
|
+
# @param [Symbol] name
|
84
|
+
# The method name.
|
85
|
+
#
|
86
|
+
# @return [Boolean]
|
87
|
+
# Will return false if the field already has two parents, otherwise
|
88
|
+
# will return true.
|
89
|
+
#
|
90
|
+
def respond_to_missing?(name)
|
91
|
+
self.parent.nil? || self.parent.parent.nil?
|
92
|
+
end
|
93
|
+
|
69
94
|
protected
|
70
95
|
|
71
96
|
#
|
@@ -75,7 +100,7 @@ module Ronin
|
|
75
100
|
# The sub-field name.
|
76
101
|
#
|
77
102
|
# @param [Array] arguments
|
78
|
-
# Additional
|
103
|
+
# Additional method arguments.
|
79
104
|
#
|
80
105
|
# @return [Field]
|
81
106
|
# The sub-field for the given name.
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -29,11 +29,21 @@ module Ronin
|
|
29
29
|
#
|
30
30
|
# @api semipublic
|
31
31
|
#
|
32
|
-
class Function
|
32
|
+
class Function
|
33
33
|
|
34
34
|
include Operators
|
35
35
|
include Emittable
|
36
36
|
|
37
|
+
# The function's name.
|
38
|
+
#
|
39
|
+
# @return [Symbol]
|
40
|
+
attr_reader :name
|
41
|
+
|
42
|
+
# The function's arguments.
|
43
|
+
#
|
44
|
+
# @return [Array]
|
45
|
+
attr_reader :arguments
|
46
|
+
|
37
47
|
#
|
38
48
|
# Creates a new Function object.
|
39
49
|
#
|
@@ -41,10 +51,11 @@ module Ronin
|
|
41
51
|
# The name of the function.
|
42
52
|
#
|
43
53
|
# @param [Array] arguments
|
44
|
-
# The arguments
|
54
|
+
# The arguments being passed to the function.
|
45
55
|
#
|
46
56
|
def initialize(name,*arguments)
|
47
|
-
|
57
|
+
@name = name
|
58
|
+
@arguments = arguments
|
48
59
|
end
|
49
60
|
|
50
61
|
end
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -101,7 +101,7 @@ module Ronin
|
|
101
101
|
#
|
102
102
|
# The `SQRT` function.
|
103
103
|
#
|
104
|
-
# @param [Field, Symbol] field
|
104
|
+
# @param [Field, Function, Symbol, Numeric] field
|
105
105
|
# The field to aggregate.
|
106
106
|
#
|
107
107
|
# @return [Function]
|
@@ -502,18 +502,6 @@ module Ronin
|
|
502
502
|
Function.new(:SIN,x)
|
503
503
|
end
|
504
504
|
|
505
|
-
#
|
506
|
-
# The `SQRT` function.
|
507
|
-
#
|
508
|
-
# @param [Field, Function, Symbol, Numeric] x
|
509
|
-
#
|
510
|
-
# @return [Function]
|
511
|
-
# The new function.
|
512
|
-
#
|
513
|
-
def sqrt(x)
|
514
|
-
Function.new(:SQRT,x)
|
515
|
-
end
|
516
|
-
|
517
505
|
#
|
518
506
|
# The `STD` function.
|
519
507
|
#
|
@@ -1045,7 +1033,7 @@ module Ronin
|
|
1045
1033
|
def replace(string,from_string,to_string)
|
1046
1034
|
Function.new(:REPLACE,string,from_string,to_string)
|
1047
1035
|
end
|
1048
|
-
|
1036
|
+
|
1049
1037
|
#
|
1050
1038
|
# The `REVERSE` function.
|
1051
1039
|
#
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -145,17 +145,17 @@ module Ronin
|
|
145
145
|
when :string, :list
|
146
146
|
if (terminate || (sql[0,1] != sql[-1,1]))
|
147
147
|
# terminate the expression
|
148
|
-
sql << '
|
148
|
+
sql << ';' << emitter.emit_comment
|
149
149
|
else
|
150
150
|
sql = sql[0..-2]
|
151
151
|
end
|
152
152
|
|
153
153
|
# balance the quotes
|
154
|
-
sql = sql[1
|
154
|
+
sql = sql[1..]
|
155
155
|
else
|
156
156
|
if terminate
|
157
157
|
# terminate the expression
|
158
|
-
sql << '
|
158
|
+
sql << ';' << emitter.emit_comment
|
159
159
|
end
|
160
160
|
end
|
161
161
|
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -29,11 +29,26 @@ module Ronin
|
|
29
29
|
#
|
30
30
|
# @api semipublic
|
31
31
|
#
|
32
|
-
class Literal
|
32
|
+
class Literal
|
33
33
|
|
34
34
|
include Operators
|
35
35
|
include Emittable
|
36
36
|
|
37
|
+
# The literal value.
|
38
|
+
#
|
39
|
+
# @return [String, Integer, Float, :NULL]
|
40
|
+
attr_reader :value
|
41
|
+
|
42
|
+
#
|
43
|
+
# Initializes the literal value.
|
44
|
+
#
|
45
|
+
# @param [String, Integer, Float, :NULL] value
|
46
|
+
# The value for the literal.
|
47
|
+
#
|
48
|
+
def initialize(value)
|
49
|
+
@value = value
|
50
|
+
end
|
51
|
+
|
37
52
|
end
|
38
53
|
end
|
39
54
|
end
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -0,0 +1,95 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-code-sql is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-code-sql. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/code/sql/statement_list'
|
22
|
+
require 'ronin/code/sql/injection'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Code
|
26
|
+
module SQL
|
27
|
+
#
|
28
|
+
# Adds helper methods for building SQL or SQL injections.
|
29
|
+
#
|
30
|
+
# @since 2.1.0
|
31
|
+
#
|
32
|
+
module Mixin
|
33
|
+
#
|
34
|
+
# Creates a new SQL statement list.
|
35
|
+
#
|
36
|
+
# @yield [(statements)]
|
37
|
+
# If a block is given, it will be evaluated within the statement list.
|
38
|
+
# If the block accepts an argument, the block will be called with the
|
39
|
+
# new statement list.
|
40
|
+
#
|
41
|
+
# @yieldparam [StatementList] statements
|
42
|
+
# The new statement list.
|
43
|
+
#
|
44
|
+
# @return [StatementList]
|
45
|
+
# The new SQL statement list.
|
46
|
+
#
|
47
|
+
# @example
|
48
|
+
# sql { select(1,2,3,4,id).from(users) }
|
49
|
+
# # => #<Ronin::Code::SQL::StatementList: SELECT (1,2,3,4,id) FROM users>
|
50
|
+
#
|
51
|
+
# @api public
|
52
|
+
#
|
53
|
+
def sql(&block)
|
54
|
+
StatementList.new(&block)
|
55
|
+
end
|
56
|
+
|
57
|
+
#
|
58
|
+
# Creates a new SQL injection (SQLi)
|
59
|
+
#
|
60
|
+
# @param [Hash{Symbol => Object}] kwargs
|
61
|
+
# Additional keyword arguments for {Injection#initialize}.
|
62
|
+
#
|
63
|
+
# @option kwargs [:integer, :decimal, :string, :column] :escape
|
64
|
+
# The type of element to escape out of.
|
65
|
+
#
|
66
|
+
# @option kwargs [Boolean] :terminate
|
67
|
+
# Specifies whether to terminate the SQLi with a comment.
|
68
|
+
#
|
69
|
+
# @option kwargs [String, Symbol, Integer] :place_holder
|
70
|
+
# Place-holder data.
|
71
|
+
#
|
72
|
+
# @yield [(injection)]
|
73
|
+
# If a block is given, it will be evaluated within the injection.
|
74
|
+
# If the block accepts an argument, the block will be called with the
|
75
|
+
# new injection.
|
76
|
+
#
|
77
|
+
# @yieldparam [Injection] injection
|
78
|
+
# The new injection.
|
79
|
+
#
|
80
|
+
# @return [Injection]
|
81
|
+
# The new SQL injection.
|
82
|
+
#
|
83
|
+
# @example
|
84
|
+
# sqli { self.and { 1 == 1 }.select(1,2,3,4,id).from(users) }
|
85
|
+
# # => #<Ronin::Code::SQL::Injection: 1 AND 1=1; SELECT (1,2,3,4,id) FROM users; SELECT (1,2,3,4,id) FROM users>
|
86
|
+
#
|
87
|
+
# @api public
|
88
|
+
#
|
89
|
+
def sqli(**kwargs,&block)
|
90
|
+
Injection.new(**kwargs,&block)
|
91
|
+
end
|
92
|
+
end
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -32,13 +32,23 @@ module Ronin
|
|
32
32
|
#
|
33
33
|
# @api semipublic
|
34
34
|
#
|
35
|
-
class Statement
|
35
|
+
class Statement
|
36
36
|
|
37
37
|
include Literals
|
38
38
|
include Operators
|
39
39
|
include Clauses
|
40
40
|
include Emittable
|
41
41
|
|
42
|
+
# The statement name.
|
43
|
+
#
|
44
|
+
# @return [Symbol, Array<Symbol>]
|
45
|
+
attr_reader :keyword
|
46
|
+
|
47
|
+
# The statement's argument.
|
48
|
+
#
|
49
|
+
# @return [Object, nil]
|
50
|
+
attr_reader :argument
|
51
|
+
|
42
52
|
#
|
43
53
|
# Initializes a new SQL statement.
|
44
54
|
#
|
@@ -56,7 +66,8 @@ module Ronin
|
|
56
66
|
# Otherwise the block will be evaluated within the statement.
|
57
67
|
#
|
58
68
|
def initialize(keyword,argument=nil,&block)
|
59
|
-
|
69
|
+
@keyword = keyword
|
70
|
+
@argument = argument
|
60
71
|
|
61
72
|
if block
|
62
73
|
case block.arity
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -28,10 +28,32 @@ module Ronin
|
|
28
28
|
#
|
29
29
|
# @api semipublic
|
30
30
|
#
|
31
|
-
class UnaryExpr
|
31
|
+
class UnaryExpr
|
32
32
|
|
33
33
|
include Emittable
|
34
34
|
|
35
|
+
# The unary operator symbol.
|
36
|
+
#
|
37
|
+
# @return [Symbol]
|
38
|
+
attr_reader :operator
|
39
|
+
|
40
|
+
# The unary operand.
|
41
|
+
#
|
42
|
+
# @return [Statement, BinaryExpr, Function, Field, Literal]
|
43
|
+
attr_reader :operand
|
44
|
+
|
45
|
+
#
|
46
|
+
# Initializes the unary expression.
|
47
|
+
#
|
48
|
+
# @param [Symbol] operator
|
49
|
+
#
|
50
|
+
# @param [Statement, BinaryExpr, Function, Field, Literal] operand
|
51
|
+
#
|
52
|
+
def initialize(operator,operand)
|
53
|
+
@operator = operator
|
54
|
+
@operand = operand
|
55
|
+
end
|
56
|
+
|
35
57
|
end
|
36
58
|
end
|
37
59
|
end
|
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -21,8 +21,8 @@
|
|
21
21
|
module Ronin
|
22
22
|
module Code
|
23
23
|
module SQL
|
24
|
-
#
|
25
|
-
VERSION = '2.
|
24
|
+
# ronin-code-sql version
|
25
|
+
VERSION = '2.1.0'
|
26
26
|
end
|
27
27
|
end
|
28
28
|
end
|
data/lib/ronin/code/sql.rb
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
#
|
3
3
|
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
4
|
#
|
5
|
-
# Copyright (c) 2007-
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
6
|
#
|
7
7
|
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
8
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -18,8 +18,8 @@
|
|
18
18
|
# along with ronin-code-sql. If not, see <https://www.gnu.org/licenses/>.
|
19
19
|
#
|
20
20
|
|
21
|
-
require 'ronin/code/sql/
|
22
|
-
require 'ronin/code/
|
21
|
+
require 'ronin/code/sql/mixin'
|
22
|
+
require 'ronin/code/sqli'
|
23
23
|
|
24
24
|
module Ronin
|
25
25
|
module Code
|
@@ -30,67 +30,8 @@ module Ronin
|
|
30
30
|
# @see http://en.wikipedia.org/wiki/SQL_injection
|
31
31
|
#
|
32
32
|
module SQL
|
33
|
-
|
34
|
-
|
35
|
-
# Creates a new SQL statement list.
|
36
|
-
#
|
37
|
-
# @yield [(statements)]
|
38
|
-
# If a block is given, it will be evaluated within the statement list.
|
39
|
-
# If the block accepts an argument, the block will be called with the
|
40
|
-
# new statement list.
|
41
|
-
#
|
42
|
-
# @yieldparam [StatementList] statements
|
43
|
-
# The new statement list.
|
44
|
-
#
|
45
|
-
# @return [StatementList]
|
46
|
-
# The new SQL statement list.
|
47
|
-
#
|
48
|
-
# @example
|
49
|
-
# sql { select(1,2,3,4,id).from(users) }
|
50
|
-
# # => #<Ronin::Code::SQL::StatementList: SELECT (1,2,3,4,id) FROM users>
|
51
|
-
#
|
52
|
-
# @api public
|
53
|
-
#
|
54
|
-
def sql(&block)
|
55
|
-
StatementList.new(&block)
|
56
|
-
end
|
57
|
-
|
58
|
-
#
|
59
|
-
# Creates a new SQL injection (SQLi)
|
60
|
-
#
|
61
|
-
# @param [Hash{Symbol => Object}] kwargs
|
62
|
-
# Additional keyword arguments for {Injection#initialize}.
|
63
|
-
#
|
64
|
-
# @option kwargs [:integer, :decimal, :string, :column] :escape
|
65
|
-
# The type of element to escape out of.
|
66
|
-
#
|
67
|
-
# @option kwargs [Boolean] :terminate
|
68
|
-
# Specifies whether to terminate the SQLi with a comment.
|
69
|
-
#
|
70
|
-
# @option kwargs [String, Symbol, Integer] :place_holder
|
71
|
-
# Place-holder data.
|
72
|
-
#
|
73
|
-
# @yield [(injection)]
|
74
|
-
# If a block is given, it will be evaluated within the injection.
|
75
|
-
# If the block accepts an argument, the block will be called with the
|
76
|
-
# new injection.
|
77
|
-
#
|
78
|
-
# @yieldparam [Injection] injection
|
79
|
-
# The new injection.
|
80
|
-
#
|
81
|
-
# @return [Injection]
|
82
|
-
# The new SQL injection.
|
83
|
-
#
|
84
|
-
# @example
|
85
|
-
# sqli { self.and { 1 == 1 }.select(1,2,3,4,id).from(users) }
|
86
|
-
# # => #<Ronin::Code::SQL::Injection: 1 AND 1=1; SELECT (1,2,3,4,id) FROM users; SELECT (1,2,3,4,id) FROM users>
|
87
|
-
#
|
88
|
-
# @api public
|
89
|
-
#
|
90
|
-
def sqli(**kwargs,&block)
|
91
|
-
Injection.new(**kwargs,&block)
|
92
|
-
end
|
93
|
-
|
33
|
+
include Mixin
|
34
|
+
extend Mixin
|
94
35
|
end
|
95
36
|
end
|
96
37
|
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
|
4
|
+
#
|
5
|
+
# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
|
6
|
+
#
|
7
|
+
# ronin-code-sql is free software: you can redistribute it and/or modify
|
8
|
+
# it under the terms of the GNU Lesser General Public License as published
|
9
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
10
|
+
# (at your option) any later version.
|
11
|
+
#
|
12
|
+
# ronin-code-sql is distributed in the hope that it will be useful,
|
13
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
14
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
15
|
+
# GNU Lesser General Public License for more details.
|
16
|
+
#
|
17
|
+
# You should have received a copy of the GNU Lesser General Public License
|
18
|
+
# along with ronin-code-sql. If not, see <https://www.gnu.org/licenses/>.
|
19
|
+
#
|
20
|
+
|
21
|
+
require 'ronin/code/sql/injection'
|
22
|
+
|
23
|
+
module Ronin
|
24
|
+
module Code
|
25
|
+
# Alias for {SQL::Injection}.
|
26
|
+
#
|
27
|
+
# @since 2.1.0
|
28
|
+
SQLI = SQL::Injection
|
29
|
+
end
|
30
|
+
end
|
data/ronin-code-sql.gemspec
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
#
|
1
|
+
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'yaml'
|
4
4
|
|
@@ -22,19 +22,19 @@ Gem::Specification.new do |gem|
|
|
22
22
|
gem.homepage = gemspec['homepage']
|
23
23
|
gem.metadata = gemspec['metadata'] if gemspec['metadata']
|
24
24
|
|
25
|
-
glob =
|
25
|
+
glob = ->(patterns) { gem.files & Dir[*patterns] }
|
26
26
|
|
27
27
|
gem.files = `git ls-files`.split($/)
|
28
28
|
gem.files = glob[gemspec['files']] if gemspec['files']
|
29
29
|
gem.files += Array(gemspec['generated_files'])
|
30
|
+
# exclude test files from the packages gem
|
31
|
+
gem.files -= glob[gemspec['test_files'] || 'spec/{**/}*']
|
30
32
|
|
31
33
|
gem.executables = gemspec.fetch('executables') do
|
32
34
|
glob['bin/*'].map { |path| File.basename(path) }
|
33
35
|
end
|
34
|
-
gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
|
35
36
|
|
36
37
|
gem.extensions = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
|
37
|
-
gem.test_files = glob[gemspec['test_files'] || 'spec/{**/}*_spec.rb']
|
38
38
|
gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
|
39
39
|
|
40
40
|
gem.require_paths = Array(gemspec.fetch('require_paths') {
|
@@ -46,7 +46,7 @@ Gem::Specification.new do |gem|
|
|
46
46
|
gem.required_rubygems_version = gemspec['required_rubygems_version']
|
47
47
|
gem.post_install_message = gemspec['post_install_message']
|
48
48
|
|
49
|
-
split =
|
49
|
+
split = ->(string) { string.split(/,\s*/) }
|
50
50
|
|
51
51
|
if gemspec['dependencies']
|
52
52
|
gemspec['dependencies'].each do |name,versions|
|