PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-09 06:01:29 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' of github.com:sqlmapproject/sqlmap

Browse Source
This commit is contained in:
Bernardo Damele
2013-01-11 13:31:49 +00:00
parent 41834e7a5b db91137eda
commit 675e4a026b
132 changed files with 359 additions and 322 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
lib/core/agent.py
View File

@@ -166,9 +166,9 @@ class Agent(object):
# after the prefix or it is in GROUP BY / ORDER BY (<clause>)
elif kb.technique == PAYLOAD.TECHNIQUE.STACKED:
query = kb.injection.prefix
elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ] or kb.injection.clause == [ 3 ]:
elif kb.injection.clause == [2, 3] or kb.injection.clause == [2] or kb.injection.clause == [3]:
query = kb.injection.prefix
elif clause == [2, 3] or clause == [ 2 ] or clause == [ 3 ]:
elif clause == [2, 3] or clause == [2] or clause == [3]:
query = prefix
# In any other case prepend with the full prefix
@@ -223,7 +223,7 @@ class Agent(object):
_ = (
("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
("[HASH_REPLACE]", kb.chars.hash_)
("[HASH_REPLACE]", kb.chars.hash_),
)
payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)
@@ -376,7 +376,18 @@ class Agent(object):
nulledCastedConcatFields = fields
else:
fields = fields.replace(", ", ',')
fieldsSplitted = fields.split(',')
commas = [0, len(fields)]
depth = 0
for index in xrange(len(fields)):
char = fields[index]
if char == '(':
depth += 1
elif char == ')':
depth -= 1
elif depth == 0 and char == ',':
commas.append(index)
commas = sorted(commas)
fieldsSplitted = [fields[x:y] for (x, y) in zip(commas, commas[1:])]
dbmsDelimiter = queries[Backend.getIdentifiedDbms()].delimiter.query
nulledCastedFields = []
@@ -758,7 +769,7 @@ class Agent(object):
limitStr = queries[Backend.getIdentifiedDbms()].limit.query
fromIndex = limitedQuery.index(" FROM ")
untilFrom = limitedQuery[:fromIndex]
fromFrom = limitedQuery[fromIndex+1:]
fromFrom = limitedQuery[fromIndex + 1:]
orderBy = False
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
@@ -766,7 +777,7 @@ class Agent(object):
limitedQuery += " %s" % limitStr
elif Backend.isDbms(DBMS.FIREBIRD):
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num+1, num+1)
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num + 1, num + 1)
limitedQuery += " %s" % limitStr
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):

23
lib/core/common.py
View File

@@ -20,7 +20,6 @@ import random
import re
import socket
import string
import struct
import sys
import tempfile
import time
@@ -561,7 +560,7 @@ def paramToDict(place, parameters=None):
elif len(conf.testParameter) != len(testableParameters.keys()):
for parameter in conf.testParameter:
if parameter not in testableParameters:
warnMsg = "provided parameter '%s' " % parameter
warnMsg = "provided parameter '%s' " % parameter
warnMsg += "is not inside the %s" % place
logger.warn(warnMsg)
@@ -1012,8 +1011,8 @@ def parseTargetDirect():
conf.hostname = "localhost"
conf.port = 0
elif not remote:
errMsg = "missing remote connection details"
raise SqlmapSyntaxException(errMsg)
errMsg = "missing remote connection details"
raise SqlmapSyntaxException(errMsg)
if dbmsName in (DBMS.MSSQL, DBMS.SYBASE):
import _mssql
@@ -1068,10 +1067,10 @@ def parseTargetUrl():
conf.url = conf.url.replace('?', URI_QUESTION_MARKER)
urlSplit = urlparse.urlsplit(conf.url)
hostnamePort = urlSplit[1].split(":") if not re.search("\[.+\]", urlSplit[1]) else filter(None, (re.search("\[.+\]", urlSplit[1]).group(0), re.search("\](:(?P<port>\d+))?", urlSplit[1]).group("port")))
hostnamePort = urlSplit.netloc.split(":") if not re.search("\[.+\]", urlSplit.netloc) else filter(None, (re.search("\[.+\]", urlSplit.netloc).group(0), re.search("\](:(?P<port>\d+))?", urlSplit.netloc).group("port")))
conf.scheme = urlSplit[0].strip().lower() if not conf.forceSSL else "https"
conf.path = urlSplit[2].strip()
conf.scheme = urlSplit.scheme.strip().lower() if not conf.forceSSL else "https"
conf.path = urlSplit.path.strip()
conf.hostname = hostnamePort[0].strip()
conf.ipv6 = conf.hostname != conf.hostname.strip("[]")
@@ -1097,8 +1096,8 @@ def parseTargetUrl():
else:
conf.port = 80
if urlSplit[3]:
conf.parameters[PLACE.GET] = urldecode(urlSplit[3]) if urlSplit[3] and urlencode(DEFAULT_GET_POST_DELIMITER, None) not in urlSplit[3] else urlSplit[3]
if urlSplit.query:
conf.parameters[PLACE.GET] = urldecode(urlSplit.query) if urlSplit.query and urlencode(DEFAULT_GET_POST_DELIMITER, None) not in urlSplit.query else urlSplit.query
conf.url = getUnicode("%s://%s:%d%s" % (conf.scheme, ("[%s]" % conf.hostname) if conf.ipv6 else conf.hostname, conf.port, conf.path))
conf.url = conf.url.replace(URI_QUESTION_MARKER, '?')
@@ -1490,7 +1489,7 @@ def getConsoleWidth(default=80):
if os.getenv("COLUMNS", "").isdigit():
width = int(os.getenv("COLUMNS"))
else:
output=execute('stty size', shell=True, stdout=PIPE, stderr=PIPE).stdout.read()
output = execute("stty size", shell=True, stdout=PIPE, stderr=PIPE).stdout.read()
items = output.split()
if len(items) == 2 and items[1].isdigit():
@@ -2979,7 +2978,7 @@ def isAdminFromPrivileges(privileges):
# In Firebird there is no specific privilege that means
# that the user is DBA
# TODO: confirm
retVal |= (Backend.isDbms(DBMS.FIREBIRD) and "SELECT" in privileges and "INSERT" in privileges and "UPDATE" in privileges and "DELETE" in privileges and "REFERENCES" in privileges and "EXECUTE" in privileges)
retVal |= (Backend.isDbms(DBMS.FIREBIRD) and all(_ in privileges for _ in ("SELECT", "INSERT", "UPDATE", "DELETE", "REFERENCES", "EXECUTE")))
return retVal
@@ -3193,7 +3192,7 @@ def decodeHexValue(value):
try:
retVal = applyFunctionRecursively(value, _)
except Exception:
except:
singleTimeWarnMessage("there was a problem decoding value '%s' from expected hexadecimal form" % value)
return retVal

4
lib/core/convert.py
View File

@@ -54,8 +54,8 @@ def md5hash(value):
return md5.new(value).hexdigest()
def orddecode(value):
packedString = struct.pack("!"+"I" * len(value), *value)
return "".join(chr(char) for char in struct.unpack("!"+"I"*(len(packedString)/4), packedString))
packedString = struct.pack("!" + "I" * len(value), *value)
return "".join(chr(char) for char in struct.unpack("!" + "I" * (len(packedString) / 4), packedString))
def ordencode(value):
return tuple(ord(char) for char in value)

34
lib/core/defaults.py
View File

@@ -7,22 +7,22 @@ See the file 'doc/COPYING' for copying permission
from lib.core.datatype import AttribDict
_defaults = {
"csvDel": ",",
"timeSec": 5,
"googlePage": 1,
"cpuThrottle": 5,
"verbose": 1,
"delay": 0,
"timeout": 30,
"retries": 3,
"saFreq": 0,
"threads": 1,
"level": 1,
"risk": 1,
"dumpFormat": "CSV",
"tech": "BEUSTQ",
"torType": "HTTP"
}
_defaults = {
"csvDel": ",",
"timeSec": 5,
"googlePage": 1,
"cpuThrottle": 5,
"verbose": 1,
"delay": 0,
"timeout": 30,
"retries": 3,
"saFreq": 0,
"threads": 1,
"level": 1,
"risk": 1,
"dumpFormat": "CSV",
"tech": "BEUSTQ",
"torType": "HTTP",
}
defaults = AttribDict(_defaults)

98
lib/core/dicts.py
View File

@@ -34,7 +34,7 @@ FIREBIRD_TYPES = {
"12": "DATE",
"13": "TIME",
"35": "TIMESTAMP",
"37": "VARCHAR"
"37": "VARCHAR",
}
SYBASE_TYPES = {
@@ -69,38 +69,38 @@ SYBASE_TYPES = {
}
MYSQL_PRIVS = {
1:"select_priv",
2:"insert_priv",
3:"update_priv",
4:"delete_priv",
5:"create_priv",
6:"drop_priv",
7:"reload_priv",
8:"shutdown_priv",
9:"process_priv",
10:"file_priv",
11:"grant_priv",
12:"references_priv",
13:"index_priv",
14:"alter_priv",
15:"show_db_priv",
16:"super_priv",
17:"create_tmp_table_priv",
18:"lock_tables_priv",
19:"execute_priv",
20:"repl_slave_priv",
21:"repl_client_priv",
22:"create_view_priv",
23:"show_view_priv",
24:"create_routine_priv",
25:"alter_routine_priv",
26:"create_user_priv",
1: "select_priv",
2: "insert_priv",
3: "update_priv",
4: "delete_priv",
5: "create_priv",
6: "drop_priv",
7: "reload_priv",
8: "shutdown_priv",
9: "process_priv",
10: "file_priv",
11: "grant_priv",
12: "references_priv",
13: "index_priv",
14: "alter_priv",
15: "show_db_priv",
16: "super_priv",
17: "create_tmp_table_priv",
18: "lock_tables_priv",
19: "execute_priv",
20: "repl_slave_priv",
21: "repl_client_priv",
22: "create_view_priv",
23: "show_view_priv",
24: "create_routine_priv",
25: "alter_routine_priv",
26: "create_user_priv",
}
PGSQL_PRIVS = {
1:"createdb",
2:"super",
3:"catupd",
1: "createdb",
2: "super",
3: "catupd",
}
FIREBIRD_PRIVS = {
@@ -109,7 +109,7 @@ FIREBIRD_PRIVS = {
"U": "UPDATE",
"D": "DELETE",
"R": "REFERENCES",
"E": "EXECUTE"
"E": "EXECUTE",
}
DB2_PRIVS = {
@@ -120,7 +120,7 @@ DB2_PRIVS = {
5: "INSERTAUTH",
6: "REFAUTH",
7: "SELECTAUTH",
8: "UPDATEAUTH"
8: "UPDATEAUTH",
}
DUMP_REPLACEMENTS = {" ": NULL, "": BLANK}
@@ -135,7 +135,7 @@ DBMS_DICT = {
DBMS.FIREBIRD: (FIREBIRD_ALIASES, "python-kinterbasdb", "http://kinterbasdb.sourceforge.net/"),
DBMS.MAXDB: (MAXDB_ALIASES, None, None),
DBMS.SYBASE: (SYBASE_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/"),
DBMS.DB2: (DB2_ALIASES, "python ibm-db", "http://code.google.com/p/ibm-db/")
DBMS.DB2: (DB2_ALIASES, "python ibm-db", "http://code.google.com/p/ibm-db/"),
}
FROM_DUMMY_TABLE = {
@@ -143,11 +143,11 @@ FROM_DUMMY_TABLE = {
DBMS.ACCESS: " FROM MSysAccessObjects",
DBMS.FIREBIRD: " FROM RDB$DATABASE",
DBMS.MAXDB: " FROM VERSIONS",
DBMS.DB2: " FROM SYSIBM.SYSDUMMY1"
DBMS.DB2: " FROM SYSIBM.SYSDUMMY1",
}
SQL_STATEMENTS = {
"SQL SELECT statement": (
"SQL SELECT statement": (
"select ",
"show ",
" top ",
@@ -162,44 +162,46 @@ SQL_STATEMENTS = {
" offset ",
" union all ",
" rownum as ",
"(case ", ),
"(case ", ),
"SQL data definition": (
"SQL data definition": (
"create ",
"declare ",
"drop ",
"truncate ",
"alter ", ),
"alter ", ),
"SQL data manipulation": (
"SQL data manipulation": (
"bulk ",
"insert ",
"update ",
"delete ",
"merge ",
"load ", ),
"load ", ),
"SQL data control": (
"SQL data control": (
"grant ",
"revoke ", ),
"revoke ", ),
"SQL data execution": (
"SQL data execution": (
"exec ",
"execute ", ),
"execute ", ),
"SQL transaction": (
"SQL transaction": (
"start transaction ",
"begin work ",
"begin transaction ",
"commit ",
"rollback ", ),
"rollback ", ),
}
POST_HINT_CONTENT_TYPES = {
POST_HINT.JSON: "application/json",
POST_HINT.MULTIPART: "multipart/form-data",
POST_HINT.SOAP: "application/soap+xml",
POST_HINT.XML: "application/xml"
POST_HINT.XML: "application/xml",
}
DEPRECATED_HINTS = {"--replicate": "use '--dump-format=SQLITE' instead"}
DEPRECATED_HINTS = {
"--replicate": "use '--dump-format=SQLITE' instead",
}

15
lib/core/dump.py
View File

@@ -119,13 +119,13 @@ class Dump(object):
if elements:
self._write("")
def banner(self,data):
def banner(self, data):
self.string("banner", data)
def currentUser(self,data):
def currentUser(self, data):
self.string("current user", data)
def currentDb(self,data):
def currentDb(self, data):
if Backend.isDbms(DBMS.MAXDB):
self.string("current database (no practical usage on %s)" % Backend.getIdentifiedDbms(), data)
elif Backend.isDbms(DBMS.ORACLE):
@@ -133,13 +133,13 @@ class Dump(object):
else:
self.string("current database", data)
def hostname(self,data):
def hostname(self, data):
self.string("hostname", data)
def dba(self,data):
def dba(self, data):
self.string("current user is DBA", data)
def users(self,users):
def users(self, users):
self.lister("database management system users", users)
def userSettings(self, header, userSettings, subHeader):
@@ -176,7 +176,7 @@ class Dump(object):
self.singleString("")
def dbs(self,dbs):
def dbs(self, dbs):
self.lister("available databases", dbs)
def dbTables(self, dbTables):
@@ -329,7 +329,6 @@ class Dump(object):
def dbTableValues(self, tableValues):
replication = None
rtable = None
documentNode, tableNode, bodyNode, headNode, rowNode = (0,) * 5
dumpFP = None
if tableValues is None:

8
lib/core/enums.py
View File

@@ -178,7 +178,7 @@ class PAYLOAD:
3: "UNION query",
4: "stacked queries",
5: "AND/OR time-based blind",
6: "inline query"
6: "inline query",
}
PARAMETER = {
@@ -186,14 +186,14 @@ class PAYLOAD:
2: "Single quoted string",
3: "LIKE single quoted string",
4: "Double quoted string",
5: "LIKE double quoted string"
5: "LIKE double quoted string",
}
RISK = {
0: "No risk",
1: "Low risk",
2: "Medium risk",
3: "High risk"
3: "High risk",
}
CLAUSE = {
@@ -205,7 +205,7 @@ class PAYLOAD:
5: "OFFSET",
6: "TOP",
7: "Table name",
8: "Column name"
8: "Column name",
}
class METHOD:

42
lib/core/option.py
View File

@@ -244,7 +244,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
else:
scheme, port = None, None
if not re.search (r"^[\n]*(GET|POST).*?\sHTTP\/", request, re.I | re.M):
if not re.search(r"^[\n]*(GET|POST).*?\sHTTP\/", request, re.I | re.M):
continue
if re.search(r"^[\n]*(GET|POST).*?\.(%s)\sHTTP\/" % "|".join(CRAWL_EXCLUDE_EXTENSIONS), request, re.I | re.M):
@@ -272,7 +272,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
index = 5
url = line[index:line.index(" HTTP/")]
method = line[:index-1]
method = line[:index - 1]
if "?" in line and "=" in line:
params = True
@@ -353,6 +353,7 @@ def _loadQueries():
class DictObject(object):
def __init__(self):
self.__dict__ = {}
def __contains__(self, name):
return name in self.__dict__
@@ -486,7 +487,7 @@ def _setGoogleDorking():
infoMsg = "first request to Google to get the session cookie"
logger.info(infoMsg)
handlers = [ proxyHandler ]
handlers = [proxyHandler]
# Reference: http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html
if conf.keepAlive:
@@ -587,7 +588,7 @@ def _findPageForms():
for i in xrange(len(targets)):
try:
target = targets[i]
page, _, _= Request.getPage(url=target.strip(), crawling=True, raise404=False)
page, _, _ = Request.getPage(url=target.strip(), crawling=True, raise404=False)
findPageForms(page, target, False, True)
if conf.verbose in (1, 2):
@@ -638,7 +639,7 @@ def _setMetasploit():
_ = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
_ = OpenKey(_, key)
retVal = QueryValueEx(_, value)[0]
except Exception:
except:
logger.debug("unable to identify Metasploit installation path via registry key")
return retVal
@@ -749,7 +750,7 @@ def _setOS():
def _setTechnique():
validTechniques = sorted(getPublicTypeMembers(PAYLOAD.TECHNIQUE), key=lambda x: x[1])
validLetters = map(lambda x: x[0][0].upper(), validTechniques)
validLetters = [_[0][0].upper() for _ in validTechniques]
if conf.tech and isinstance(conf.tech, basestring):
_ = []
@@ -930,9 +931,9 @@ def _setHTTPProxy():
logger.debug(debugMsg)
proxySplit = urlparse.urlsplit(conf.proxy)
hostnamePort = proxySplit[1].split(":")
hostnamePort = proxySplit.netloc.split(":")
scheme = proxySplit[0].upper()
scheme = proxySplit.scheme.upper()
hostname = hostnamePort[0]
port = None
username = None
@@ -942,7 +943,7 @@ def _setHTTPProxy():
try:
port = int(hostnamePort[1])
except:
pass #drops into the next check block
pass # drops into the next check block
if not all((scheme, hasattr(PROXY_TYPE, scheme), hostname, port)):
errMsg = "proxy value must be in format '(%s)://url:port'" % "|".join(_[0].lower() for _ in getPublicTypeMembers(PROXY_TYPE))
@@ -1005,8 +1006,8 @@ def _setPrefixSuffix():
boundary = AttribDict()
boundary.level = 1
boundary.clause = [ 0 ]
boundary.where = [ 1, 2, 3 ]
boundary.clause = [0]
boundary.where = [1, 2, 3]
boundary.prefix = conf.prefix
boundary.suffix = conf.suffix
@@ -1024,7 +1025,7 @@ def _setPrefixSuffix():
# user who provides --prefix/--suffix does not want other boundaries
# to be tested for
conf.boundaries = [ boundary ]
conf.boundaries = [boundary]
def _setAuthCred():
"""
@@ -1247,7 +1248,7 @@ def _setHTTPUserAgent():
if count == 1:
userAgent = kb.userAgents[0]
else:
userAgent = kb.userAgents[randomRange(stop=count-1)]
userAgent = kb.userAgents[randomRange(stop=count - 1)]
userAgent = sanitizeStr(userAgent)
conf.httpHeaders.append((HTTPHEADER.USER_AGENT, userAgent))
@@ -1373,8 +1374,9 @@ def _cleanupOptions():
conf.data = re.sub(INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), CUSTOM_INJECTION_MARK_CHAR, conf.data, re.I)
if re.search(r'%[0-9a-f]{2}', conf.data, re.I):
class _(unicode):
pass
original = conf.data
class _(unicode): pass
conf.data = _(urldecode(conf.data))
setattr(conf.data, UNENCODED_ORIGINAL_VALUE, original)
else:
@@ -1409,7 +1411,7 @@ def _cleanupOptions():
conf.code = int(conf.code)
if conf.csvDel:
conf.csvDel = conf.csvDel.decode("string_escape") # e.g. '\\t' -> '\t'
conf.csvDel = conf.csvDel.decode("string_escape") # e.g. '\\t' -> '\t'
if conf.torPort and conf.torPort.isdigit():
conf.torPort = int(conf.torPort)
@@ -1504,7 +1506,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.authHeader = None
kb.bannerFp = AttribDict()
kb.brute = AttribDict({"tables":[], "columns":[]})
kb.brute = AttribDict({"tables": [], "columns": []})
kb.bruteMode = False
kb.cache = AttribDict()
@@ -1525,7 +1527,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
# Active back-end DBMS fingerprint
kb.dbms = None
kb.dbmsVersion = [ UNKNOWN_DBMS_VERSION ]
kb.dbmsVersion = [UNKNOWN_DBMS_VERSION]
kb.delayCandidates = TIME_DELAY_CANDIDATES * [0]
kb.dep = None
@@ -1592,7 +1594,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.redirectChoice = None
kb.redirectSetCookie = None
kb.reflectiveMechanism = True
kb.reflectiveCounters = {REFLECTIVE_COUNTER.MISS:0, REFLECTIVE_COUNTER.HIT:0}
kb.reflectiveCounters = {REFLECTIVE_COUNTER.MISS: 0, REFLECTIVE_COUNTER.HIT: 0}
kb.responseTimes = []
kb.resumeValues = True
kb.safeCharEncode = False
@@ -1820,7 +1822,7 @@ class LogRecorder(logging.StreamHandler):
"""
self.loghist.append({'levelname': record.levelname,
'text': record.msg % record.args if record.args else record.msg,
'id': len(self.loghist)+1})
'id': len(self.loghist) + 1})
if conf.fdLog:
# TODO: this is very heavy operation and slows down a lot the
@@ -2008,7 +2010,7 @@ def _basicOptionValidation():
errMsg = "maximum number of used threads is %d avoiding possible connection issues" % MAX_NUMBER_OF_THREADS
raise SqlmapSyntaxException(errMsg)
if conf.forms and not any ((conf.url, conf.bulkFile)):
if conf.forms and not any((conf.url, conf.bulkFile)):
errMsg = "switch '--forms' requires usage of option '-u' (--url) or '-m'"
raise SqlmapSyntaxException(errMsg)

30
lib/core/optiondict.py
View File

@@ -18,7 +18,7 @@ optDict = {
"requestFile": "string",
"sessionFile": "string",
"googleDork": "string",
"configFile": "string"
"configFile": "string",
},
"Request": {
@@ -47,7 +47,7 @@ optDict = {
"safUrl": "string",
"saFreq": "integer",
"skipUrlEncode": "boolean",
"evalCode": "string"
"evalCode": "string",
},
"Optimization": {
@@ -55,7 +55,7 @@ optDict = {
"predictOutput": "boolean",
"keepAlive": "boolean",
"nullConnection": "boolean",
"threads": "integer"
"threads": "integer",
},
"Injection": {
@@ -69,7 +69,7 @@ optDict = {
"prefix": "string",
"suffix": "string",
"skip": "string",
"tamper": "string"
"tamper": "string",
},
"Detection": {
@@ -80,7 +80,7 @@ optDict = {
"regexp": "string",
"code": "integer",
"textOnly": "boolean",
"titles": "boolean"
"titles": "boolean",
},
"Techniques": {
@@ -89,11 +89,11 @@ optDict = {
"uCols": "string",
"uChar": "string",
"dnsName": "string",
"secondOrder": "string"
"secondOrder": "string",
},
"Fingerprint": {
"extensiveFp": "boolean"
"extensiveFp": "boolean",
},
"Enumeration": {
@@ -126,23 +126,23 @@ optDict = {
"lastChar": "integer",
"query": "string",
"sqlShell": "boolean",
"sqlFile": "string"
"sqlFile": "string",
},
"Brute": {
"commonTables": "boolean",
"commonColumns": "boolean"
"commonColumns": "boolean",
},
"User-defined function": {
"udfInject": "boolean",
"shLib": "string"
"shLib": "string",
},
"File system": {
"rFile": "string",
"wFile": "string",
"dFile": "string"
"dFile": "string",
},
"Takeover": {
@@ -153,7 +153,7 @@ optDict = {
"osBof": "boolean",
"privEsc": "boolean",
"msfPath": "string",
"tmpPath": "string"
"tmpPath": "string",
},
"Windows": {
@@ -163,7 +163,7 @@ optDict = {
"regKey": "string",
"regVal": "string",
"regData": "string",
"regType": "string"
"regType": "string",
},
"General": {
@@ -208,7 +208,7 @@ optDict = {
"smart": "boolean",
"testFilter": "string",
"wizard": "boolean",
"verbose": "integer"
"verbose": "integer",
},
"Hidden": {
"profile": "boolean",
@@ -217,6 +217,6 @@ optDict = {
"smokeTest": "boolean",
"liveTest": "boolean",
"stopFail": "boolean",
"runCase": "string"
"runCase": "string",
}
}

2
lib/core/profiling.py
View File

@@ -65,7 +65,7 @@ def profile(profileOutputFile=None, dotOutputFile=None, imageOutputFile=None):
dotFilePointer = codecs.open(dotOutputFile, 'wt', UNICODE_ENCODING)
parser = gprof2dot.PstatsParser(profileOutputFile)
profile = parser.parse()
profile.prune(0.5/100.0, 0.1/100.0)
profile.prune(0.5 / 100.0, 0.1 / 100.0)
dot = gprof2dot.DotWriter(dotFilePointer)
dot.graph(profile, gprof2dot.TEMPERATURE_COLORMAP)
dotFilePointer.close()

2
lib/core/purge.py
View File

@@ -64,7 +64,7 @@ def purge(directory):
except:
pass
dirpaths.sort(cmp = lambda x, y: y.count(os.path.sep) - x.count(os.path.sep))
dirpaths.sort(cmp=lambda x, y: y.count(os.path.sep) - x.count(os.path.sep))
logger.debug("renaming directory names to random values...")
for dirpath in dirpaths:

2
lib/core/replication.py
View File

@@ -61,7 +61,7 @@ class Replication(object):
"""
if len(values) == len(self.columns):
self.execute('INSERT INTO "%s" VALUES (%s)' % (self.name, ','.join(['?']*len(values))), safechardecode(values))
self.execute('INSERT INTO "%s" VALUES (%s)' % (self.name, ','.join(['?'] * len(values))), safechardecode(values))
else:
errMsg = "wrong number of columns used in replicating insert"
raise SqlmapValueException(errMsg)

10
lib/core/settings.py
View File

@@ -201,7 +201,7 @@ BASIC_HELP_ITEMS = (
"checkTor",
"flushSession",
"tor",
"wizard"
"wizard",
)
# String representation for NULL value
@@ -218,7 +218,7 @@ ERROR_PARSING_REGEXES = (
r"<b>[^<]*(fatal|error|warning|exception)[^<]*</b>:?\s*(?P<result>.+?)<br\s*/?\s*>",
r"(?m)^(fatal|error|warning|exception):?\s*(?P<result>.+?)$",
r"<li>Error Type:<br>(?P<result>.+?)</li>",
r"error '[0-9a-f]{8}'((<[^>]+>)|\s)+(?P<result>[^<>]+)"
r"error '[0-9a-f]{8}'((<[^>]+>)|\s)+(?P<result>[^<>]+)",
)
# Regular expression used for parsing charset info from meta html headers
@@ -234,7 +234,7 @@ EMPTY_FORM_FIELDS_REGEX = r'(&|\A)(?P<result>[^=]+=(&|\Z))'
COMMON_PASSWORD_SUFFIXES = ("1", "123", "2", "12", "3", "13", "7", "11", "5", "22", "23", "01", "4", "07", "21", "14", "10", "06", "08", "8", "15", "69", "16", "6", "18")
# Reference: http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-MySpace-passwords.html
COMMON_PASSWORD_SUFFIXES += ("!", ".", "*", "!!", "?", ";", "..", "!!!", ",", "@")
COMMON_PASSWORD_SUFFIXES += ("!", ".", "*", "!!", "?", ";", "..", "!!!", ", ", "@")
# Splitter used between requests in WebScarab log files
WEBSCARAB_SPLITTER = "### Conversation"
@@ -363,7 +363,7 @@ DUMMY_SQL_INJECTION_CHARS = ";()'"
DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]"
# Extensions skipped by crawler
CRAWL_EXCLUDE_EXTENSIONS = ("gif","jpg","jar","tif","bmp","war","ear","mpg","wmv","mpeg","scm","iso","dmp","dll","cab","so","avi","bin","exe","iso","tar","png","pdf","ps","mp3","zip","rar","gz")
CRAWL_EXCLUDE_EXTENSIONS = ("gif", "jpg", "jar", "tif", "bmp", "war", "ear", "mpg", "wmv", "mpeg", "scm", "iso", "dmp", "dll", "cab", "so", "avi", "bin", "exe", "iso", "tar", "png", "pdf", "ps", "mp3", "zip", "rar", "gz")
# Template used for common table existence check
BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)"
@@ -420,7 +420,7 @@ HASHDB_FLUSH_RETRIES = 3
HASHDB_MILESTONE_VALUE = "cAWxkLYCQT" # r5129 "".join(random.sample(string.letters, 10))
# Warn user of possible delay due to large page dump in full UNION query injections
LARGE_OUTPUT_THRESHOLD = 1024**2
LARGE_OUTPUT_THRESHOLD = 1024 ** 2
# On huge tables there is a considerable slowdown if every row retrieval requires ORDER BY (most noticable in table dumping using ERROR injections)
SLOW_ORDER_COUNT_THRESHOLD = 10000

2
lib/core/shell.py
View File

@@ -40,7 +40,7 @@ class CompleterNG(rlcompleter.Completer):
matches = []
n = len(text)
for ns in [ self.namespace ]:
for ns in (self.namespace,):
for word in ns:
if word[:n] == text:
matches.append(word)

10
lib/core/subprocessng.py
View File

@@ -49,7 +49,7 @@ def blockingReadFromFD(fd):
break
if not output:
raise EOFError("fd %s has been closed." % fd )
raise EOFError("fd %s has been closed." % fd)
return output
@@ -142,7 +142,7 @@ class Popen(subprocess.Popen):
try:
written = os.write(self.stdin.fileno(), input)
except OSError, why:
if why[0] == errno.EPIPE: #broken pipe
if why[0] == errno.EPIPE: # broken pipe
return self._close('stdin')
raise
@@ -155,7 +155,7 @@ class Popen(subprocess.Popen):
flags = fcntl.fcntl(conn, fcntl.F_GETFL)
if not conn.closed:
fcntl.fcntl(conn, fcntl.F_SETFL, flags| os.O_NONBLOCK)
fcntl.fcntl(conn, fcntl.F_SETFL, flags | os.O_NONBLOCK)
try:
if not select.select([conn], [], [], 0)[0]:
@@ -175,7 +175,7 @@ class Popen(subprocess.Popen):
def recv_some(p, t=.1, e=1, tr=5, stderr=0):
if tr < 1:
tr = 1
x = time.time()+t
x = time.time() + t
y = []
r = ''
if stderr:
@@ -189,7 +189,7 @@ def recv_some(p, t=.1, e=1, tr=5, stderr=0):
elif r:
y.append(r)
else:
time.sleep(max((x-time.time())/tr, 0))
time.sleep(max((x - time.time()) / tr, 0))
return ''.join(y)
def send_all(p, data):

6
lib/core/target.py
View File

@@ -130,8 +130,8 @@ def _setRequestParams():
kb.processUserMarks = True if kb.postHint else kb.processUserMarks
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(map(lambda place: place in conf.parameters, [PLACE.GET, PLACE.POST])):
warnMsg = "you've provided target url without any GET "
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)):
warnMsg = "you've provided target url without any GET "
warnMsg += "parameters (e.g. www.site.com/article.php?id=1) "
warnMsg += "and without providing any POST parameters "
warnMsg += "through --data option"
@@ -161,7 +161,7 @@ def _setRequestParams():
if not kb.processUserMarks:
if place == PLACE.URI:
query = urlparse.urlsplit(value)[3]
query = urlparse.urlsplit(value).query
if query:
parameters = conf.parameters[PLACE.GET] = query
paramDict = paramToDict(PLACE.GET, parameters)

2
lib/core/testing.py
View File

@@ -234,7 +234,7 @@ def runCase(switches=None, parse=None):
logger.error("unhandled exception occurred ('%s')" % str(exception))
tback = traceback.format_exc()
retVal = False
elif result is False: # if None, ignore
elif result is False: # if None, ignore
logger.error("the test did not run")
retVal = False

2
lib/core/threads.py
View File

@@ -104,7 +104,7 @@ def runThreads(numThreads, threadFunction, cleanupFunction=None, forwardExceptio
kb.threadContinue = True
kb.threadException = False
if threadChoice and numThreads == 1 and any(map(lambda _: _ in kb.injection.data, (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY, PAYLOAD.TECHNIQUE.UNION))):
if threadChoice and numThreads == 1 and any(_ in kb.injection.data for _ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY, PAYLOAD.TECHNIQUE.UNION)):
while True:
message = "please enter number of threads? [Enter for %d (current)] " % numThreads
choice = readInput(message, default=str(numThreads))