ronin-sql 0.1.1 → 0.2.0

data/History.txt

@@ -1,3 +1,46 @@
+=== 0.2.0 / 2009-01-08
+
+* Require Ronin >= 0.1.3.
+* Refactored Ronin::Code::SQL.
+  * Implemented a token emitter system.
+  * Support common SQL expression modifiers.
+  * Support common SQL clauses.
+  * Allow for injecting arbitrary SQL clauses.
+  * Added more SQL Injection test generators.
+    * all_rows:
+
+         OR 1 = 1
+
+    * exact_rows:
+
+         AND 1 = 1
+
+    * no_rows:
+
+         AND 1 = 0
+
+    * has_column?(column):
+
+         OR column IS NOT NULL
+
+    * has_table?(table):
+
+         AND (SELECT FROM table count(*) == 1)
+
+    * uses_column?(column):
+
+         GROUP BY column HAVING 1 = 1
+
+    * uses_table?(table):
+
+         OR table IS NOT NULL
+
+* Removed references to Ronin::Vulnerable.
+* Added more specs:
+  * Specs for most of Ronin::Code::SQL.
+  * Specs on Ronin::SQL::Error and the SQL encoding/decoding extensions for
+    the String class.
+
 === 0.1.1 / 2008-09-28
 
 * Trivial bug fix to URI::HTTP#sql_errors.

data/Manifest.txt

@@ -4,42 +4,95 @@ Manifest.txt
 README.txt
 Rakefile
 lib/ronin/code/sql.rb
-lib/ronin/code/sql/between.rb
-lib/ronin/code/sql/binary_expr.rb
-lib/ronin/code/sql/builder.rb
-lib/ronin/code/sql/code.rb
-lib/ronin/code/sql/common_dialect.rb
-lib/ronin/code/sql/create_index.rb
-lib/ronin/code/sql/create_table.rb
-lib/ronin/code/sql/create_view.rb
-lib/ronin/code/sql/delete.rb
-lib/ronin/code/sql/dialect.rb
-lib/ronin/code/sql/drop_table.rb
 lib/ronin/code/sql/exceptions.rb
 lib/ronin/code/sql/exceptions/unknown_dialect.rb
+lib/ronin/code/sql/exceptions/unknown_statement.rb
+lib/ronin/code/sql/exceptions/unknown_clause.rb
+lib/ronin/code/sql/token.rb
+lib/ronin/code/sql/emittable.rb
+lib/ronin/code/sql/modifier.rb
+lib/ronin/code/sql/asc.rb
+lib/ronin/code/sql/desc.rb
+lib/ronin/code/sql/as.rb
 lib/ronin/code/sql/expr.rb
+lib/ronin/code/sql/unary_expr.rb
+lib/ronin/code/sql/binary_expr.rb
+lib/ronin/code/sql/like.rb
+lib/ronin/code/sql/between.rb
+lib/ronin/code/sql/in.rb
 lib/ronin/code/sql/field.rb
+lib/ronin/code/sql/clause.rb
+lib/ronin/code/sql/on_clause.rb
+lib/ronin/code/sql/where_clause.rb
+lib/ronin/code/sql/group_by_clause.rb
+lib/ronin/code/sql/fields_clause.rb
+lib/ronin/code/sql/set_clause.rb
+lib/ronin/code/sql/values_clause.rb
+lib/ronin/code/sql/from_clause.rb
+lib/ronin/code/sql/default_values_clause.rb
+lib/ronin/code/sql/join_clause.rb
+lib/ronin/code/sql/order_by_clause.rb
+lib/ronin/code/sql/limit_clause.rb
+lib/ronin/code/sql/offset_clause.rb
+lib/ronin/code/sql/union_clause.rb
+lib/ronin/code/sql/having_clause.rb
+lib/ronin/code/sql/union_all_clause.rb
+lib/ronin/code/sql/intersect_clause.rb
+lib/ronin/code/sql/rename_to_clause.rb
+lib/ronin/code/sql/add_column_clause.rb
 lib/ronin/code/sql/function.rb
-lib/ronin/code/sql/in.rb
-lib/ronin/code/sql/injection.rb
-lib/ronin/code/sql/injection_builder.rb
-lib/ronin/code/sql/injection_style.rb
+lib/ronin/code/sql/statement.rb
+lib/ronin/code/sql/create.rb
+lib/ronin/code/sql/create_index.rb
+lib/ronin/code/sql/create_table.rb
+lib/ronin/code/sql/create_view.rb
 lib/ronin/code/sql/insert.rb
-lib/ronin/code/sql/keyword.rb
-lib/ronin/code/sql/like_expr.rb
-lib/ronin/code/sql/program.rb
-lib/ronin/code/sql/replace.rb
 lib/ronin/code/sql/select.rb
-lib/ronin/code/sql/statement.rb
-lib/ronin/code/sql/style.rb
-lib/ronin/code/sql/unary_expr.rb
+lib/ronin/code/sql/replace.rb
 lib/ronin/code/sql/update.rb
+lib/ronin/code/sql/delete.rb
+lib/ronin/code/sql/drop.rb
+lib/ronin/code/sql/drop_index.rb
+lib/ronin/code/sql/drop_table.rb
+lib/ronin/code/sql/drop_view.rb
+lib/ronin/code/sql/dialect.rb
+lib/ronin/code/sql/common_dialect.rb
+lib/ronin/code/sql/program.rb
+lib/ronin/code/sql/injected_statement.rb
+lib/ronin/code/sql/injection.rb
+lib/ronin/code/sql/code.rb
 lib/ronin/sql/extensions.rb
 lib/ronin/sql/extensions/uri.rb
 lib/ronin/sql/extensions/uri/http.rb
+lib/ronin/sql/error/message.rb
+lib/ronin/sql/error/pattern.rb
+lib/ronin/sql/error/error.rb
+lib/ronin/sql/error/patterns.rb
 lib/ronin/sql/error.rb
-lib/ronin/sql/sql.rb
+lib/ronin/sql/injection.rb
 lib/ronin/sql/version.rb
 lib/ronin/sql.rb
 tasks/spec.rb
 spec/spec_helper.rb
+spec/sql_spec.rb
+spec/helpers/code.rb
+spec/code/sql/has_default_values_clause_examples.rb
+spec/code/sql/has_fields_clause_examples.rb
+spec/code/sql/has_from_clause_examples.rb
+spec/code/sql/has_values_clause_examples.rb
+spec/code/sql/has_where_clause_examples.rb
+spec/code/sql/create_examples.rb
+spec/code/sql/create_table_spec.rb
+spec/code/sql/create_index_spec.rb
+spec/code/sql/create_view_spec.rb
+spec/code/sql/drop_examples.rb
+spec/code/sql/drop_table_spec.rb
+spec/code/sql/drop_index_spec.rb
+spec/code/sql/drop_view_spec.rb
+spec/code/sql/insert_spec.rb
+spec/code/sql/select_spec.rb
+spec/code/sql/update_spec.rb
+spec/code/sql/replace_spec.rb
+spec/code/sql/delete_spec.rb
+spec/sql/error_spec.rb
+spec/sql/extensions/string_spec.rb

data/README.txt

@@ -1,7 +1,9 @@
 = Ronin SQL
 
 * http://ronin.rubyforge.org/sql/
-* Postmodern Modulus III
+* http://github.com/postmodern/ronin-sql
+* irc.freenode.net ##ronin
+* Postmodern (postmodern.mod3 at gmail.com)
 
 == DESCRIPTION:
 
@@ -22,9 +24,9 @@ commercial software.
 
 === Modular
 
-Ronin was not designed as one monolithic library but instead as a collection
-of libraries which can be individually installed. This allows users to pick
-and choose what functionality they want in Ronin.
+Ronin was not designed as one monolithic framework but instead as a
+collection of libraries which can be individually installed. This allows
+users to pick and choose what functionality they want in Ronin.
 
 === Decentralized
 
@@ -37,19 +39,42 @@ of Ronin.
 
 == FEATURES:
 
-* Provides an DSL for crafting normal SQL and SQL injections.
+* Provides an Domain Specific Language (DSL) for crafting normal SQL and
+  SQL injections.
 * Provides tests for finding SQL injections.
 
+== REQUIREMENTS:
+
+* Ronin >= 0.1.2
+
 == INSTALL:
 
   $ sudo gem install ronin-sql
 
+== EXAMPLES:
+
+* Generate valid SQL using the Ronin SQL DSL.
+
+  puts Code.sql {
+    select(:from => :users, :where => (name == 'bob'))
+  }
+  SELECT * FROM users WHERE name = 'bob'
+  => nil
+
+* Generate valid SQL injections using the Ronin SQL injection DSL.
+
+  puts Code.sql_injection {
+    escape_string { has_table?(:users) }
+  }
+  ' AND (SELECT count(*) FROM users) = 1 --
+  => nil
+
 == LICENSE:
 
 Ronin SQL - A Ruby library for Ronin that provids support for SQL related
 security tasks.
 
-Copyright (c) 2006-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2006-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

data/Rakefile

@@ -7,9 +7,9 @@ require './lib/ronin/sql/version.rb'
 
 Hoe.new('ronin-sql', Ronin::SQL::VERSION) do |p|
   p.rubyforge_name = 'ronin'
-  p.developer('Postmodern Modulus III','postmodern.mod3@gmail.com')
+  p.developer('Postmodern','postmodern.mod3@gmail.com')
   p.remote_rdoc_dir = 'docs/ronin-sql'
-  p.extra_deps = [['ronin', '>=0.0.9']]
+  p.extra_deps = [['ronin', '>=0.1.3']]
 end
 
 # vim: syntax=Ruby

data/lib/ronin/code/sql/{keyword.rb → add_column_clause.rb}

@@ -3,7 +3,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,25 +21,21 @@
 #++
 #
 
+require 'ronin/code/sql/clause'
+
 module Ronin
   module Code
     module SQL
-      class Keyword
-
-        # The style to use
-        attr_reader :style
+      class AddColumnClause < Clause
 
-        def initialize(style,name)
-          @style = style
-          @name = name.to_s
-        end
+        attr_accessor :table
 
-        def compile
-          @style.compile_keyword(@name)
+        def initialize(table)
+          @table = table
         end
 
-        def to_s
-          compile
+        def emit
+          emit_token('ADD COLUMN') + emit_value(@table)
         end
 
       end

data/lib/ronin/code/sql/as.rb

@@ -0,0 +1,47 @@
+#
+#--
+# Ronin SQL - A Ronin library providing support for SQL related security
+# tasks.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/code/sql/modifier'
+
+module Ronin
+  module Code
+    module SQL
+      class As < Modifier
+
+        # Alias name
+        attr_reader :alias_name
+
+        def initialize(field,alias_name)
+          super(field,'AS')
+
+          @alias_name = alias_name
+        end
+
+        def emit
+          super + emit_value(@alias_name)
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/code/sql/asc.rb

@@ -0,0 +1,38 @@
+#
+#--
+# Ronin SQL - A Ronin library providing support for SQL related security
+# tasks.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/code/sql/modifier'
+
+module Ronin
+  module Code
+    module SQL
+      class Asc < Modifier
+
+        def initialize(expr)
+          super(expr,'ASC')
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/code/sql/between.rb

@@ -3,7 +3,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -28,9 +28,16 @@ module Ronin
     module SQL
       class Between < Expr
 
-        def initialize(expr,lower,higher)
-          super(expr.style)
+        # Expression
+        attr_reader :expr
+
+        # Lower bound
+        attr_reader :lower
+
+        # Higher bound
+        attr_reader :higher
 
+        def initialize(expr,lower,higher)
           @expr = expr
           @lower = lower
           @higher = higher
@@ -42,18 +49,17 @@ module Ronin
           return self
         end
 
-        def compile
-          compile_expr(@expr,negated?,keyword_between,@lower,keyword_and,@higher)
-        end
+        def emit
+          tokens = emit_value(@expr)
 
-        protected
+          tokens += emit_token('NOT') if @negated
+          tokens += emit_token('BETWEEN')
 
-        keyword :between
-        keyword :and
-        keyword :not
+          tokens += emit_value(@lower)
+          tokens += emit_token('AND')
+          tokens += emit_value(@higher)
 
-        def negated?
-          keyword_not if @negated
+          return tokens
         end
 
       end

data/lib/ronin/code/sql/binary_expr.rb

@@ -3,7 +3,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -28,16 +28,23 @@ module Ronin
     module SQL
       class BinaryExpr < Expr
 
-        def initialize(style,op,left,right)
-          super(style)
+        # Operator
+        attr_reader :op
 
+        # Left-hand side
+        attr_reader :left
+
+        # Right-hand side
+        attr_reader :right
+
+        def initialize(op,left,right)
           @op = op
           @left = left
           @right = right
         end
 
-        def compile
-          compile_expr(compile_data(@left),compile_keyword(@op),compile_data(@right))
+        def emit
+          emit_value(@left) + emit_token(@op) + emit_value(@right)
         end
 
       end

data/lib/ronin/code/sql/clause.rb

@@ -0,0 +1,37 @@
+#
+#--
+# Ronin SQL - A Ronin library providing support for SQL related security
+# tasks.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/code/sql/emittable'
+require 'ronin/code/sql/token'
+
+module Ronin
+  module Code
+    module SQL
+      class Clause
+
+        include Emittable
+
+      end
+    end
+  end
+end

data/lib/ronin/code/sql/code.rb

@@ -2,7 +2,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/ronin/code/sql/common_dialect.rb

@@ -3,7 +3,7 @@
 # Ronin SQL - A Ronin library providing support for SQL related security
 # tasks.
 #
-# Copyright (c) 2007-2008 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -25,11 +25,14 @@ require 'ronin/code/sql/dialect'
 require 'ronin/code/sql/create_table'
 require 'ronin/code/sql/create_index'
 require 'ronin/code/sql/create_view'
+require 'ronin/code/sql/alter_table'
 require 'ronin/code/sql/insert'
 require 'ronin/code/sql/select'
 require 'ronin/code/sql/update'
 require 'ronin/code/sql/delete'
 require 'ronin/code/sql/drop_table'
+require 'ronin/code/sql/drop_index'
+require 'ronin/code/sql/drop_view'
 
 module Ronin
   module Code
@@ -45,16 +48,19 @@ module Ronin
         data_type :text
         data_type :record
 
-        aggregators :count, :min, :max, :sum, :avg
+        aggregators :avg, :count, :group_concat, :min, :max, :sum, :total
 
-        command :create_type, CreateTable
-        command :create_index, CreateIndex
-        command :create_view, CreateView
-        command :insert, Insert
-        command :select_from, Select
-        command :update, Update
-        command :delete, Delete
-        command :drop_table, DropTable
+        statement :create_type, CreateTable
+        statement :create_index, CreateIndex
+        statement :create_view, CreateView
+        statement :alter_table, AlterTable
+        statement :insert, Insert
+        statement :select, Select
+        statement :update, Update
+        statement :delete, Delete
+        statement :drop_table, DropTable
+        statement :drop_index, DropIndex
+        statement :drop_view, DropView
 
       end
     end

data/lib/ronin/code/sql/create.rb

@@ -0,0 +1,68 @@
+#
+#--
+# Ronin SQL - A Ronin library providing support for SQL related security
+# tasks.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/code/sql/statement'
+require 'ronin/code/sql/fields_clause'
+
+module Ronin
+  module Code
+    module SQL
+      class Create < Statement
+
+        clause :fields, FieldsClause
+
+        def initialize(dialect,type,name=nil,options={},&block)
+          @type = type
+          @name = name
+          @temp = (options[:temp] || options[:temporary])
+          @if_not_exists = options[:if_not_exists]
+
+          super(dialect,options,&block)
+        end
+
+        def temp
+          @temp = true
+          return self
+        end
+
+        def if_not_exists
+          @if_not_exists = true
+          return self
+        end
+
+        def emit
+          tokens = emit_token('CREATE')
+          tokens += emit_token('TEMP') if @temp
+
+          tokens += emit_token(@type)
+
+          tokens += emit_token('IF NOT EXISTS') if @if_not_exists
+          tokens += emit_token(@name)
+
+          return tokens + super
+        end
+
+      end
+    end
+  end
+end