diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py index 26ab10eaa..367ac63ff 100644 --- a/lib/core/optiondict.py +++ b/lib/core/optiondict.py @@ -27,15 +27,16 @@ optDict = { "Target": { "url": "string", "list": "string", + "requestFile": "string", "googleDork": "string", - "configFile": "string", - "requestFile": "string" + "configFile": "string" }, "Request": { "method": "string", "data": "string", "cookie": "string", + "cookieUrlencode": "boolean", "dropSetCookie": "boolean", "referer": "string", "agent": "string", @@ -62,7 +63,6 @@ optDict = { "regexp": "string", "eString": "string", "eRegexp": "string", - "cookieUrlencode": "boolean" }, "Techniques": { diff --git a/lib/core/settings.py b/lib/core/settings.py index b4c16c100..38b0f4ece 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -27,7 +27,7 @@ import subprocess import sys # sqlmap version and site -VERSION = "0.8-rc4" +VERSION = "0.8-rc5" VERSION_STRING = "sqlmap/%s" % VERSION SITE = "http://sqlmap.sourceforge.net" diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 6df142877..abe96f641 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -53,15 +53,15 @@ def cmdLineParser(): target.add_option("-l", dest="list", help="Parse targets from Burp " "or WebScarab proxy logs") + target.add_option("-r", dest="requestFile", + help="Load HTTP request from a file") + target.add_option("-g", dest="googleDork", help="Process Google dork results as target urls") target.add_option("-c", dest="configFile", help="Load options from a configuration INI file") - - target.add_option("-r", dest="requestFile", - help="Load HTTP request from a file") - + # Request options request = OptionGroup(parser, "Request", "These options can be used " "to specify how to connect to the target url.") @@ -75,7 +75,12 @@ def cmdLineParser(): request.add_option("--cookie", dest="cookie", help="HTTP Cookie header") - request.add_option("--drop-set-cookie", dest="dropSetCookie", action="store_true", + request.add_option("--cookie-urlencode", dest="cookieUrlencode", + action="store_true", + help="URL-encode generated cookie injections") + + request.add_option("--drop-set-cookie", dest="dropSetCookie", + action="store_true", help="Ignore Set-Cookie header from response") request.add_option("--user-agent", dest="agent", @@ -164,10 +169,6 @@ def cmdLineParser(): help="Matches to be excluded before " "comparing page contents") - injection.add_option("--cookie-urlencode", dest="cookieUrlencode", - action="store_true", - help="URLEncode generated cookie injections") - # Techniques options techniques = OptionGroup(parser, "Techniques", "These options can " "be used to test for specific SQL injection " diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py index e1a5c8370..0436a1ebe 100644 --- a/lib/takeover/metasploit.py +++ b/lib/takeover/metasploit.py @@ -636,15 +636,14 @@ class Metasploit: def uploadMsfPayloadStager(self, web=False): if web: - self.exeFilePathRemote = "./%s" % os.path.basename(self.exeFilePathLocal) + self.exeFilePathRemote = "%s/%s" % (self.webDirectory, os.path.basename(self.exeFilePathLocal)) else: self.exeFilePathRemote = "%s/%s" % (conf.tmpPath, os.path.basename(self.exeFilePathLocal)) logger.info("uploading payload stager to '%s'" % self.exeFilePathRemote) if web: - for directory in self.webDirectories: - self.webFileUpload(self.exeFilePathLocal, self.exeFilePathRemote, directory) + self.webFileUpload(self.exeFilePathLocal, self.exeFilePathRemote, self.webDirectory) else: self.writeFile(self.exeFilePathLocal, self.exeFilePathRemote, "binary", False) diff --git a/lib/takeover/web.py b/lib/takeover/web.py index 1f5aa5842..a47d5581e 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -51,7 +51,7 @@ class Web: self.webBaseUrl = None self.webBackdoorUrl = None self.webUploaderUrl = None - self.webDirectories = set() + self.webDirectory = None def webBackdoorRunCmd(self, cmd): if self.webBackdoorUrl is None: @@ -114,9 +114,9 @@ class Web: self.checkDbmsOs() kb.docRoot = getDocRoot() - self.webDirectories = getDirs() - self.webDirectories = list(self.webDirectories) - self.webDirectories.sort() + directories = getDirs() + directories = list(directories) + directories.sort() infoMsg = "trying to upload the uploader agent" logger.info(infoMsg) @@ -154,7 +154,7 @@ class Web: uploaderName = "uploader.%s" % self.webApi uploaderStr = fileToStr(os.path.join(paths.SQLMAP_SHELL_PATH, uploaderName)) - for directory in self.webDirectories: + for directory in directories: # Upload the uploader agent outFile = os.path.normpath("%s/%s" % (directory, uploaderName)) uplQuery = uploaderStr.replace("WRITABLE_DIR", directory) @@ -184,6 +184,7 @@ class Web: self.webFileUpload(backdoorPath, backdoorName, directory) self.webBackdoorUrl = "%s/%s" % (self.webBaseUrl, backdoorName) + self.webDirectory = directory infoMsg = "the backdoor has probably been successfully " infoMsg += "uploaded on '%s', go with your browser " % directory diff --git a/sqlmap.conf b/sqlmap.conf index ee142df00..bb35923f7 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -10,6 +10,10 @@ url = # 'conversations/' folder path list = +# Load HTTP request from a file +# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme +requestFile = + # Rather than providing a target url, let Google return target # hosts as result of your Google dork expression. For a list of Google # dorks see Johnny Long Google Hacking Database at @@ -17,10 +21,6 @@ list = # Example: +ext:php +inurl:"&id=" +intext:"powered by " googleDork = -# Load HTTP request from a file -# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme -requestFile = - [Request] # HTTP method to perform HTTP requests. @@ -35,6 +35,10 @@ data = # HTTP Cookie header. cookie = +# URL-encode generated cookie injections. +# Valid: True or False +cookieUrlencode = False + # Ignore Set-Cookie header from response # Valid: True or False dropSetCookie = False @@ -155,10 +159,6 @@ eString = # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) eRegexp = -# URLEncode generated cookie injections. -# Valid: True or False -cookieUrlencode = False - [Techniques] # Test for stacked queries (multiple statements) support.