'''
sqli.py

Copyright 2006 Andres Riancho

This file is part of w3af, w3af.sourceforge.net .

w3af is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 2 of the License.

w3af is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with w3af; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

'''

from core.data.fuzzer.fuzzer import *
import core.controllers.outputManager as om
from core.controllers.basePlugin.baseAuditPlugin import baseAuditPlugin
import core.data.kb.knowledgeBase as kb
from core.controllers.w3afException import w3afException
import core.data.kb.vuln as vuln

# We define some constants
DB2 = 'IBM db2 database'
MSSQL = 'Microsoft SQL database'
ORACLE = 'Oracle database'
SYBASE = 'Sybase database'
POSTGRE = 'PostgreSQL database'
MYSQL = 'MySql database'
JAVA = 'Java connector'
ACCESS = 'Microsoft Access database'
INFORMIX = 'Informix database'
INTERBASE = 'Interbase database'

class sqli(baseAuditPlugin):
	'''
	This plugin tests for SQL injection bugs.
	@author: Andres Riancho ( andres.riancho@gmail.com )
	'''

	def __init__(self):
		baseAuditPlugin.__init__(self)

	def _fuzzRequests(self, freq ):
		'''
		Tests an URL for SQL injection vulnerabilities.
		
		@param freq: A fuzzableRequest
		'''
		om.out.debug( 'SQLi plugin is testing: ' + freq.getURL() )
		
		sqliStrings = self._getSQLiStrings()
		mutants = createMutants( freq , sqliStrings )
		self._originalRequest = freq
		
		for mutant in mutants:
			if self._hasNoBug( 'sqli' , 'sqli' , mutant.getURL() , mutant.getVar() ):
				# Only spawn a thread if the mutant has a modified variable
				# that has no reported bugs in the kb
				targs = (mutant,)
				self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self )
		
			
	def _analyzeResult( self, mutant, response ):
		'''
		Analyze results of the _sendMutant method.
		'''
		sqlError = self._findSqlError( response.getBody() )
		if sqlError:
		
			# Kill some false positives ...
			originalBody = self._sendMutant( self._originalRequest , analyze=False ).getBody()
			if sqlError[0] not in originalBody:
		
				v = vuln.vuln( mutant )
				v.setId( response.id )
				v['error'] = sqlError[1]
				v['db'] = sqlError[0]
				v.setDesc( 'SQL injection was found at: ' + response.getURL() + ' . Using method: ' + v.getMethod() + '. The data sent was: ' + str(mutant.getDc()) )
				kb.kb.append( self, 'sqli', v )
	
	def end(self):
		'''
		This method is called when the plugin wont be used anymore.
		'''
		self._tm.join( self )
		self.printUniq( kb.kb.getData( 'sqli', 'sqli' ), 'VAR' )
	
	def _getSQLiStrings( self ):
		'''
		Gets a list of strings to test against the web app.
		
		@return: A list with all SQLi strings to test. Example: [ '\'','\'\'']
		'''
		sqliStrings = []
		### TODO: verify if I need to add more values here
		# I think that i wont catch any sql injections bugs with ' that i dont catch
		# with d'z'0
		# sqliStrings.append("'")	
		sqliStrings.append("d'z'0")
		return sqliStrings

	def _findSqlError( self, htmlString ):
		'''
		This method searches for SQL errors in html's.
		
		@parameter htmlString: The html string where the method searches for sql errors
		@return: True if a SQL was found on the site, False otherwise.
		'''
		for sqlError in self._getSqlErrors():
			position = htmlString.find( sqlError[0] )
			if  position != -1:
				om.out.vulnerability('Found SQL error in page body, the error is (fragment): "' + htmlString[ position - 20 : position + 20]  + '".')
				return sqlError
		
		return None

	def _getSqlErrors(self):
		# sqlErrors = [('MDB',MSSQL),('<ORA>',ORACLE),('sybase error!',SYBASE)]
		errors = []
		
		errors.append( ('[IBM][CLI Driver][DB2', DB2 ) )
		errors.append( ('[SQL Server]', MSSQL ) )
		errors.append( ('[Microsoft][ODBC SQL Server Driver]', MSSQL ) )
		errors.append( ('[SQLServer JDBC Driver]', MSSQL ) )
		errors.append( ('[SqlException', MSSQL ) )
		errors.append( ('\'80040e14\'', MSSQL ) )
		errors.append( ('mssql_query()', MSSQL ) )
		errors.append( ('odbc_exec()', MSSQL ) )
		errors.append( ('ORA-0', ORACLE ) )
		errors.append( ('ORA-1', ORACLE ) )
		errors.append( ('PostgreSQL query failed:', POSTGRE ) )
		errors.append( ('supplied argument is not a valid PostgreSQL result', POSTGRE ) )
		errors.append( ('supplied argument is not a valid MySQL', MYSQL ) )
		errors.append( ('mysql_fetch_array()', MYSQL ) )
		errors.append( ('mysql_', MYSQL ) )
		errors.append( ('on MySQL result index', MYSQL ) )
		errors.append( ('You have an error in your SQL syntax;', MYSQL ) )
		errors.append( ('MySQL server version for the right syntax to use', MYSQL ) )
		errors.append( ('Incorrect syntax near', MSSQL ) )
		errors.append( ('com.informix.jdbc', INFORMIX ))
		errors.append( ('Dynamic Page Generation Error:', INFORMIX ))
		errors.append( ('Microsoft JET Database Engine error', ACCESS ))
		errors.append( ('Microsoft OLE DB Provider for ODBC Drivers error', MSSQL ))
		errors.append( ('[MySQL][ODBC', MYSQL ))
		errors.append( ("Column count doesn't match", MYSQL ))
		errors.append( ('java.sql.SQLException', JAVA ))
		errors.append( ('<b>Warning</b>:  ibase_', INTERBASE ))
		
		return errors
		
	def getOptionsXML(self):
		'''
		This method returns a XML containing the Options that the plugin has.
		Using this XML the framework will build a window, a menu, or some other input method to retrieve
		the info from the user. The XML has to validate against the xml schema file located at :
		w3af/core/ui/userInterface.dtd
		
		@return: XML with the plugin options.
		'''	
		return	'<?xml version="1.0" encoding="ISO-8859-1"?>\
		<OptionList>\
		</OptionList>\
		'

	def setOptions( self, OptionList ):
		'''
		This method sets all the options that are configured using the user interface 
		generated by the framework using the result of getOptionsXML().
		
		@parameter OptionList: A dictionary with the options for the plugin.
		@return: No value is returned.
		'''	
		pass

	def getPluginDeps( self ):
		'''
		@return: A list with the names of the plugins that should be runned before the
		current one.
		'''
		return []
	
	def getLongDesc( self ):
		'''
		@return: A DETAILED description of the plugin functions and features.
		'''
		return '''
		This plugin will find sql injections.
		
		To find this vulnerabilities the plugin sends the string "d'z'0" to every injection point, and searches the response
		for SQL errors.
		'''