PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2026-01-24 07:09:02 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' of github.com:sqlmapproject/sqlmap

Browse Source
This commit is contained in:
Bernardo Damele
2013-02-03 11:31:12 +00:00
parent f8bc74758c e7b93b5b66
commit bd1ea13b8d
16 changed files with 100 additions and 343 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
lib/controller/checks.py
View File

@@ -85,6 +85,24 @@ def checkSqlInjection(place, parameter, value):
if kb.endDetection:
break
if conf.dbms is None:
if not injection.dbms and PAYLOAD.TECHNIQUE.BOOLEAN in injection.data:
if not Backend.getIdentifiedDbms() and not kb.heuristicDbms:
kb.heuristicDbms = heuristicCheckDbms(injection) or UNKNOWN_DBMS
if not conf.testFilter and (Backend.getErrorParsedDBMSes() or kb.heuristicDbms) not in ([], None, UNKNOWN_DBMS):
if kb.reduceTests is None and Backend.getErrorParsedDBMSes():
msg = "heuristic (parsing) test showed that the "
msg += "back-end DBMS could be '%s'. " % (Format.getErrorParsedDBMSes() if Backend.getErrorParsedDBMSes() else kb.heuristicDbms)
msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
kb.reduceTests = [] if readInput(msg, default='Y').upper() != 'Y' else (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms])
if kb.extendTests is None:
_ = (Format.getErrorParsedDBMSes() if Backend.getErrorParsedDBMSes() else kb.heuristicDbms)
msg = "do you want to include all tests for '%s' " % _
msg += "ignoring provided level (%d) and risk (%s)? [Y/n]" % (conf.level, conf.risk)
kb.extendTests = [] if readInput(msg, default='Y').upper() != 'Y' else (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms])
title = test.title
stype = test.stype
clause = test.clause
@@ -143,15 +161,24 @@ def checkSqlInjection(place, parameter, value):
logger.debug(debugMsg)
continue
# Skip DBMS-specific test if it does not match either the
# previously identified or the user's provided DBMS (either
# from program switch or from parsed error message(s))
if "details" in test and "dbms" in test.details:
dbms = test.details.dbms
else:
dbms = None
# Skip tests if title is not included by the given filter
if conf.testFilter:
if not any(re.search(conf.testFilter, str(item), re.I) for item in (test.title, test.vector,\
test.details.dbms if "details" in test and "dbms" in test.details else "")):
if not any(re.search(conf.testFilter, str(item), re.I) for item in (test.title, test.vector, dbms)):
debugMsg = "skipping test '%s' because " % title
debugMsg += "its name/vector/dbms is not included by the given filter"
logger.debug(debugMsg)
continue
else:
if not (kb.extendTests and intersect(dbms, kb.extendTests)):
# Skip test if the risk is higher than the provided (or default)
# value
# Parse test's <risk>
@@ -170,14 +197,6 @@ def checkSqlInjection(place, parameter, value):
logger.debug(debugMsg)
continue
# Skip DBMS-specific test if it does not match either the
# previously identified or the user's provided DBMS (either
# from program switch or from parsed error message(s))
if "details" in test and "dbms" in test.details:
dbms = test.details.dbms
else:
dbms = None
if dbms is not None:
if injection.dbms is not None and not intersect(injection.dbms, dbms):
debugMsg = "skipping test '%s' because " % title
@@ -192,17 +211,7 @@ def checkSqlInjection(place, parameter, value):
logger.debug(debugMsg)
continue
if conf.dbms is None and len(Backend.getErrorParsedDBMSes()) > 0 and not intersect(dbms, Backend.getErrorParsedDBMSes()) and kb.skipOthersDbms is None:
msg = "parsed error message(s) showed that the "
msg += "back-end DBMS could be %s. " % Format.getErrorParsedDBMSes()
msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
if readInput(msg, default="Y") in ("y", "Y"):
kb.skipOthersDbms = Backend.getErrorParsedDBMSes()
else:
kb.skipOthersDbms = []
if kb.skipOthersDbms and not intersect(dbms, kb.skipOthersDbms):
if kb.reduceTests and not intersect(dbms, kb.reduceTests):
debugMsg = "skipping test '%s' because " % title
debugMsg += "the parsed error message(s) showed "
debugMsg += "that the back-end DBMS could be "
@@ -444,10 +453,7 @@ def checkSqlInjection(place, parameter, value):
configUnion(test.request.char, test.request.columns)
if not Backend.getIdentifiedDbms():
if not kb.heuristicDbms:
kb.heuristicDbms = heuristicCheckDbms(injection) or UNKNOWN_DBMS
if kb.heuristicDbms == UNKNOWN_DBMS:
if kb.heuristicDbms in (None, UNKNOWN_DBMS):
warnMsg = "using unescaped version of the test "
warnMsg += "because of zero knowledge of the "
warnMsg += "back-end DBMS. You can try to "
@@ -556,8 +562,8 @@ def checkSqlInjection(place, parameter, value):
warnMsg = "user aborted during detection phase"
logger.warn(warnMsg)
message = "How do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(q)uit]"
choice = readInput(message, default="S", checkBatch=False)
msg = "How do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(q)uit]"
choice = readInput(msg, default="S", checkBatch=False)
if choice[0] in ("s", "S"):
pass
@@ -594,24 +600,23 @@ def checkSqlInjection(place, parameter, value):
def heuristicCheckDbms(injection):
retVal = None
if not Backend.getIdentifiedDbms() and len(injection.data) == 1 and PAYLOAD.TECHNIQUE.BOOLEAN in injection.data:
pushValue(kb.injection)
kb.injection = injection
randStr1, randStr2 = randomStr(), randomStr()
pushValue(kb.injection)
kb.injection = injection
randStr1, randStr2 = randomStr(), randomStr()
for dbms in getPublicTypeMembers(DBMS, True):
Backend.forceDbms(dbms)
for dbms in getPublicTypeMembers(DBMS, True):
Backend.forceDbms(dbms)
if checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr1)):
if not checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr2)):
retVal = dbms
break
if checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr1)):
if not checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr2)):
retVal = dbms
break
Backend.flushForcedDbms()
kb.injection = popValue()
Backend.flushForcedDbms()
kb.injection = popValue()
if retVal:
infoMsg = "heuristic test showed that the back-end DBMS "
infoMsg = "heuristic (extended) test shows that the back-end DBMS " # not as important as "parsing" counter-part (because of false-positives)
infoMsg += "could be '%s' " % retVal
logger.info(infoMsg)
@@ -725,7 +730,7 @@ def heuristicCheckSqlInjection(place, parameter):
parseFilePaths(page)
result = wasLastResponseDBMSError()
infoMsg = "heuristic test shows that %s " % place
infoMsg = "heuristic (parsing) test shows that %s " % place
infoMsg += "parameter '%s' might " % parameter
def _(page):
@@ -758,7 +763,7 @@ def heuristicCheckSqlInjection(place, parameter):
kb.ignoreCasted = readInput(message, default='Y' if conf.multipleTargets else 'N').upper() != 'N'
elif result:
infoMsg += "be injectable (possible DBMS: %s)" % (Format.getErrorParsedDBMSes() or UNKNOWN_DBMS)
infoMsg += "be injectable (possible DBMS: '%s')" % (Format.getErrorParsedDBMSes() or UNKNOWN_DBMS)
logger.info(infoMsg)
else:

15
lib/core/agent.py
View File

@@ -426,6 +426,10 @@ class Agent(object):
fieldsMinMaxstr = re.search(r"(?:MIN|MAX)\(([^\(\)]+)\)", query, re.I)
fieldsNoSelect = query
_ = zeroDepthSearch(query, " FROM ")
if not _:
fieldsSelectFrom = None
if fieldsSubstr:
fieldsToCastStr = query
elif fieldsMinMaxstr:
@@ -441,7 +445,6 @@ class Agent(object):
elif fieldsSelectCase:
fieldsToCastStr = fieldsSelectCase.groups()[0]
elif fieldsSelectFrom:
_ = zeroDepthSearch(query, " FROM ")
fieldsToCastStr = query[:unArrayizeValue(_)] if _ else query
fieldsToCastStr = re.sub(r"\ASELECT%s\s+" % prefixRegex, "", fieldsToCastStr)
elif fieldsSelect:
@@ -888,23 +891,17 @@ class Agent(object):
lengthQuery = queries[Backend.getIdentifiedDbms()].length.query
select = re.search("\ASELECT\s+", expression, re.I)
selectTopExpr = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I)
selectDistinctExpr = re.search("\ASELECT\s+DISTINCT\((.+?)\)\s+FROM", expression, re.I)
selectFromExpr = re.search("\ASELECT\s+(.+?)\s+FROM", expression, re.I)
selectExpr = re.search("\ASELECT\s+(.+)$", expression, re.I)
_, _, _, _, _, _, fieldsStr, _ = self.getFields(expression)
if any((selectTopExpr, selectDistinctExpr, selectFromExpr, selectExpr)):
if any((selectTopExpr, selectFromExpr, selectExpr)):
query = fieldsStr
else:
query = expression
if selectDistinctExpr:
lengthExpr = "SELECT %s FROM (%s)" % (lengthQuery % query, expression)
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
lengthExpr += " AS %s" % randomStr(lowercase=True)
elif select:
if select:
lengthExpr = expression.replace(query, lengthQuery % query, 1)
else:
lengthExpr = lengthQuery % expression

3
lib/core/common.py
View File

@@ -974,7 +974,6 @@ def setPaths():
paths.SMALL_DICT = os.path.join(paths.SQLMAP_TXT_PATH, "smalldict.txt")
paths.USER_AGENTS = os.path.join(paths.SQLMAP_TXT_PATH, "user-agents.txt")
paths.WORDLIST = os.path.join(paths.SQLMAP_TXT_PATH, "wordlist.zip")
paths.PHPIDS_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "phpids_rules.xml")
paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
paths.PAYLOADS_XML = os.path.join(paths.SQLMAP_XML_PATH, "payloads.xml")
paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml")
@@ -1376,6 +1375,8 @@ def safeStringFormat(format_, params):
if isinstance(params, basestring):
retVal = retVal.replace("%s", params)
elif not isListLike(params):
retVal = retVal.replace("%s", str(params))
else:
count, index = 0, 0
while index != -1:

1
lib/core/dicts.py
View File

@@ -205,6 +205,7 @@ POST_HINT_CONTENT_TYPES = {
DEPRECATED_OPTIONS = {
"--replicate": "use '--dump-format=SQLITE' instead",
"--no-unescape": "use '--no-escape' instead",
"--check-payload": None,
}
DUMP_DATA_PREPROCESS = {

21
lib/core/option.py
View File

@@ -324,6 +324,10 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
scheme = "https"
port = port or "443"
if not host:
errMsg = "invalid format of a request file"
raise SqlmapSyntaxException, errMsg
if not url.startswith("http"):
url = "%s://%s:%s%s" % (scheme or "http", host, port or "80", url)
scheme = None
@@ -1521,6 +1525,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.dynamicParameter = False
kb.endDetection = False
kb.explicitSettings = set()
kb.extendTests = None
kb.errorIsNone = True
kb.fileReadMode = False
kb.forcedDbms = None
@@ -1548,12 +1553,6 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.multiThreadMode = False
kb.negativeLogic = False
kb.nullConnection = None
kb.pageCompress = True
kb.pageTemplate = None
kb.pageTemplates = dict()
kb.postHint = None
kb.previousMethod = None
kb.processUserMarks = None
kb.orderByColumns = None
kb.originalCode = None
kb.originalPage = None
@@ -1566,12 +1565,19 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.osVersion = None
kb.osSP = None
kb.pageCompress = True
kb.pageTemplate = None
kb.pageTemplates = dict()
kb.pageEncoding = DEFAULT_PAGE_ENCODING
kb.pageStable = None
kb.partRun = None
kb.permissionFlag = False
kb.postHint = None
kb.postSpaceToPlus = False
kb.prependFlag = False
kb.processResponseCounter = 0
kb.previousMethod = None
kb.processUserMarks = None
kb.proxyAuthHeader = None
kb.queryCounter = 0
kb.redirectChoice = None
@@ -1584,8 +1590,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.resumeValues = True
kb.safeCharEncode = False
kb.singleLogFlags = set()
kb.skipOthersDbms = None
kb.postSpaceToPlus = False
kb.reduceTests = None
kb.stickyDBMS = False
kb.stickyLevel = None
kb.suppressResumeInfo = False

1
lib/core/optiondict.py
View File

@@ -195,7 +195,6 @@ optDict = {
"alert": "string",
"answers": "string",
"beep": "boolean",
"checkPayload": "boolean",
"checkWaf": "boolean",
"cleanup": "boolean",
"dependencies": "boolean",

2
lib/core/settings.py
View File

@@ -466,7 +466,7 @@ VALID_TIME_CHARS_RUN_THRESHOLD = 100
CHECK_ZERO_COLUMNS_THRESHOLD = 10
# Boldify all logger messages containing these "patterns"
BOLD_PATTERNS = ("' injectable", "might be injectable", "' is vulnerable", "is not injectable", "test failed", "test passed", "live test final result", "heuristic test showed")
BOLD_PATTERNS = ("' injectable", "might be injectable", "' is vulnerable", "is not injectable", "test failed", "test passed", "live test final result", "test shows that")
# Generic www root directory names
GENERIC_DOC_ROOT_DIRECTORY_NAMES = ("htdocs", "wwwroot", "www")

4
lib/parse/cmdline.py
View File

@@ -612,10 +612,6 @@ def cmdLineParser():
miscellaneous.add_option("--beep", dest="beep", action="store_true",
help="Make a beep sound when SQL injection is found")
miscellaneous.add_option("--check-payload", dest="checkPayload",
action="store_true",
help="Offline WAF/IPS/IDS payload detection testing")
miscellaneous.add_option("--check-waf", dest="checkWaf",
action="store_true",
help="Check for existence of WAF/IPS/IDS protection")

3
lib/request/basic.py
View File

@@ -256,8 +256,7 @@ def decodePage(page, contentEncoding, contentType):
def processResponse(page, responseHeaders):
kb.processResponseCounter += 1
if not kb.dumpTable:
parseResponse(page, responseHeaders if kb.processResponseCounter < PARSE_HEADERS_LIMIT else None)
parseResponse(page, responseHeaders if kb.processResponseCounter < PARSE_HEADERS_LIMIT else None)
if conf.parseErrors:
msg = extractErrorMessage(page)

4
lib/request/connect.py
View File

@@ -79,7 +79,6 @@ from lib.request.basic import processResponse
from lib.request.direct import direct
from lib.request.comparison import comparison
from lib.request.methodrequest import MethodRequest
from lib.utils.checkpayload import checkPayload
from thirdparty.socks.socks import ProxyError
from thirdparty.multipart import multipartpost
@@ -658,9 +657,6 @@ class Connect(object):
if place:
value = agent.removePayloadDelimiters(value)
if conf.checkPayload:
checkPayload(value)
if PLACE.GET in conf.parameters:
get = conf.parameters[PLACE.GET] if place != PLACE.GET or not value else value

8
lib/request/inject.py
View File

@@ -25,6 +25,7 @@ from lib.core.common import isTechniqueAvailable
from lib.core.common import parseUnionPage
from lib.core.common import popValue
from lib.core.common import pushValue
from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.common import singleTimeWarnMessage
from lib.core.data import conf
@@ -76,6 +77,13 @@ def _goInference(payload, expression, charsetType=None, firstChar=None, lastChar
if not (timeBasedCompare and kb.dnsTest):
if (conf.eta or conf.threads > 1) and Backend.getIdentifiedDbms() and not re.search("(COUNT|LTRIM)\(", expression, re.I) and not timeBasedCompare:
if field and re.search("\ASELECT\s+DISTINCT\((.+?)\)\s+FROM", expression, re.I):
expression = "SELECT %s FROM (%s)" % (field, expression)
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
expression += " AS %s" % randomStr(lowercase=True)
if field and conf.hexConvert:
nulledCastedField = agent.nullAndCastField(field)
injExpression = expression.replace(field, nulledCastedField, 1)

56
lib/utils/checkpayload.py
View File

@@ -1,56 +0,0 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import re
from lib.core.common import readXmlFile
from lib.core.common import urldecode
from lib.core.data import paths
from lib.core.data import logger
rules = None
def _adjustGrammar(string):
string = re.sub('\ADetects', 'Detected', string)
string = re.sub('\Afinds', 'Found', string)
string = re.sub('attempts\Z', 'attempt', string)
string = re.sub('injections\Z', 'injection', string)
string = re.sub('attacks\Z', 'attack', string)
return string
def checkPayload(payload):
"""
This method checks if the generated payload is detectable by the
PHPIDS filter rules
"""
if not payload:
return
global rules
detected = False
payload = urldecode(payload, convall=True)
if not rules:
xmlrules = readXmlFile(paths.PHPIDS_RULES_XML)
rules = []
for xmlrule in xmlrules.getElementsByTagName("filter"):
rule = "(?i)%s" % xmlrule.getElementsByTagName('rule')[0].childNodes[0].nodeValue
desc = _adjustGrammar(xmlrule.getElementsByTagName('description')[0].childNodes[0].nodeValue)
rules.append((rule, desc))
if payload:
for rule, desc in rules:
if re.search(rule, payload):
detected = True
logger.warn("highly probable IDS/IPS detection: '%s: %s'" % (desc, payload))
if not detected:
logger.warn("payload '%s' possibly gone undetected" % payload)