Class: Ronin::SQL::Injection

Inherits:
StatementList show all
Includes:
Clauses, Literals
Defined in:
lib/ronin/sql/injection.rb

Overview

Represents a SQL injection (SQLi).

Constant Summary

PLACE_HOLDERS =

Default place holder values.

{
  integer: 1,
  decimal: 1.0,
  string:  '1',
  list:    [nil],
  column:  :id
}

Instance Attribute Summary (collapse)

Attributes inherited from StatementList

#statements

Instance Method Summary (collapse)

Methods included from Clauses

#clause, #clauses, #default_values, #from, #full_join, #group_by, #having, #indexed_by, #inner_join, #into, #join, #left_join, #limit, #not_indexed, #offset, #on, #right_join, #set, #top, #union, #values, #where

Methods included from Literals

#float, #int, #null, #string

Methods inherited from StatementList

#<<, #statement

Methods included from Emittable

#emitter, #inspect, #to_s

Methods included from Statements

#delete, #drop_table, #insert, #select, #statement, #update

Methods included from Functions

#abs, #acos, #ascii, #asin, #atan, #atan2, #avg, #bin, #bit_and, #bit_count, #bit_length, #bit_or, #ceil, #ceiling, #char, #char_length, #character_length, #concat, #concat_ws, #conv, #cos, #cot, #count, #degrees, #elt, #exp, #export_set, #field, #find_in_set, #floor, #format, #glob, #greatest, #hex, #insert, #instr, #interval, #lcase, #least, #left, #length, #like, #load_file, #locate, #log, #log10, #lower, #lpad, #ltrim, #make_set, #max, #mid, #min, #mod, #oct, #octet_length, #ord, #pi, #position, #pow, #power, #quote, #radians, #rand, #random, #repeat, #replace, #reverse, #right, #round, #rpad, #rtrim, #sign, #sin, #soundex, #space, #sqrt, #std, #stddev, #strcmp, #substring, #substring_index, #sum, #tan, #trim, #truncate, #ucase, #unhex, #upper

Methods included from Fields

#method_missing, #respond_to_missing?, #to_ary

Constructor Details

- (Injection) initialize(options = {}) {|(injection)| ... }

Initializes a new SQL injection.

Parameters:

  • options (Hash) (defaults to: {})

    Additional injection options.

Options Hash (options):

  • :escape (:integer, :decimal, :string, :column) — default: :integer

    The type of element to escape out of.

  • :terminate (Boolean)

    Specifies whether to terminate the SQLi with a comment.

  • :place_holder (String, Symbol, Integer)

    Place-holder data.

Yields:

  • ((injection))

    If a block is given, it will be evaluated within the injection. If the block accepts an argument, the block will be called with the new injection.

Yield Parameters:

  • injection (Injection)

    The new injection.



79
80
81
82
83
84
85
86
87
88
# File 'lib/ronin/sql/injection.rb', line 79

def initialize(options={},&block)
  @escape       = options.fetch(:escape,:integer)
  @place_holder = options.fetch(:place_holder) do
    PLACE_HOLDERS.fetch(@escape)
  end

  @expression = @place_holder

  super(&block)
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Ronin::SQL::Fields

Instance Attribute Details

- (Object) escape (readonly)

The type of element to escape out of



48
49
50
# File 'lib/ronin/sql/injection.rb', line 48

def escape
  @escape
end

- (Object) expression (readonly)

The expression that will be injected



54
55
56
# File 'lib/ronin/sql/injection.rb', line 54

def expression
  @expression
end

- (Object) place_holder (readonly)

The place holder data



51
52
53
# File 'lib/ronin/sql/injection.rb', line 51

def place_holder
  @place_holder
end

Instance Method Details

- (self) and {|(injection)| ... }

Appends an AND expression to the injection.

Yields:

  • ((injection))

    The return value of the block will be used as the right-hand side operand. If the block accepts an argument, it will be called with the injection.

Yield Parameters:

Returns:

  • (self)


102
103
104
105
106
107
108
109
110
# File 'lib/ronin/sql/injection.rb', line 102

def and(&block)
  value = case block.arity
          when 0 then instance_eval(&block)
          else        block.call(self)
          end

  @expression = BinaryExpr.new(@expression,:AND,value)
  return self
end

- (self) or {|(injection)| ... }

Appends an OR expression to the injection.

Yields:

  • ((injection))

    The return value of the block will be used as the right-hand side operand. If the block accepts an argument, it will be called with the injection.

Yield Parameters:

Returns:

  • (self)


124
125
126
127
128
129
130
131
132
# File 'lib/ronin/sql/injection.rb', line 124

def or(&block)
  value = case block.arity
          when 0 then instance_eval(&block)
          else        block.call(self)
          end

  @expression = BinaryExpr.new(@expression,:OR,value)
  return self
end

- (String) to_sql(options = {})

Converts the SQL injection to SQL.

Parameters:

Options Hash (options):

  • :terminate (Boolean)

    Specifies whether to terminate the injection with ;--.

Returns:



146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# File 'lib/ronin/sql/injection.rb', line 146

def to_sql(options={})
  emitter = emitter(options)
  sql     = ''

  sql << emitter.emit(@expression)

  unless clauses.empty?
    sql << emitter.space << emitter.emit_clauses(clauses)
  end

  unless statements.empty?
    sql << ';' << emitter.space << emitter.emit_statement_list(self)
  end

  case @escape
  when :string, :list
    if (options[:terminate] || (sql[0,1] != sql[-1,1]))
      # terminate the expression
      sql << ';--'
    else
      sql = sql[0..-2]
    end

    # balance the quotes
    sql = sql[1..-1]
  else
    if options[:terminate]
      # terminate the expression
      sql << ';--'
    end
  end

  return sql
end