2008-10-15 19:38:22 +04:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
"""
|
2008-10-15 19:56:32 +04:00
|
|
|
$Id$
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
|
|
|
|
|
2010-03-03 18:26:27 +03:00
|
|
|
Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
2009-04-22 15:48:07 +04:00
|
|
|
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
sqlmap is free software; you can redistribute it and/or modify it under
|
|
|
|
the terms of the GNU General Public License as published by the Free
|
|
|
|
Software Foundation version 2 of the License.
|
|
|
|
|
|
|
|
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
|
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
|
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
|
|
details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License along
|
|
|
|
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
|
|
|
|
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
"""
|
|
|
|
|
|
|
|
from lib.controller.action import action
|
|
|
|
from lib.controller.checks import checkSqlInjection
|
|
|
|
from lib.controller.checks import checkDynParam
|
|
|
|
from lib.controller.checks import checkStability
|
|
|
|
from lib.controller.checks import checkString
|
2008-12-12 22:06:31 +03:00
|
|
|
from lib.controller.checks import checkRegexp
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.controller.checks import checkConnection
|
2010-09-16 12:43:10 +04:00
|
|
|
from lib.controller.checks import checkNullConnection
|
2010-06-02 16:45:40 +04:00
|
|
|
from lib.core.common import getUnicode
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.common import paramToDict
|
2010-03-05 18:25:53 +03:00
|
|
|
from lib.core.common import parseTargetUrl
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.common import readInput
|
|
|
|
from lib.core.data import conf
|
|
|
|
from lib.core.data import kb
|
|
|
|
from lib.core.data import logger
|
2010-03-16 15:14:02 +03:00
|
|
|
from lib.core.exception import exceptionsTuple
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.exception import sqlmapNotVulnerableException
|
2010-09-30 23:45:23 +04:00
|
|
|
from lib.core.exception import sqlmapUserQuitException
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.session import setInjection
|
2010-03-15 14:55:13 +03:00
|
|
|
from lib.core.target import initTargetEnv
|
|
|
|
from lib.core.target import setupTargetEnv
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.utils.parenthesis import checkForParenthesis
|
|
|
|
|
|
|
|
def __selectInjection(injData):
|
|
|
|
"""
|
|
|
|
Selection function for injection place, parameters and type.
|
|
|
|
"""
|
|
|
|
|
|
|
|
message = "there were multiple injection points, please select the "
|
|
|
|
message += "one to use to go ahead:\n"
|
|
|
|
|
|
|
|
for i in xrange(0, len(injData)):
|
2008-11-22 04:57:22 +03:00
|
|
|
injPlace = injData[i][0]
|
2008-10-15 19:38:22 +04:00
|
|
|
injParameter = injData[i][1]
|
2008-11-22 04:57:22 +03:00
|
|
|
injType = injData[i][2]
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
message += "[%d] place: %s, parameter: " % (i, injPlace)
|
|
|
|
message += "%s, type: %s" % (injParameter, injType)
|
|
|
|
|
|
|
|
if i == 0:
|
|
|
|
message += " (default)"
|
|
|
|
|
|
|
|
message += "\n"
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
message += "[q] Quit"
|
2008-11-22 04:57:22 +03:00
|
|
|
select = readInput(message, default="0")
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
if not select:
|
|
|
|
index = 0
|
|
|
|
|
|
|
|
elif select.isdigit() and int(select) < len(injData) and int(select) >= 0:
|
|
|
|
index = int(select)
|
|
|
|
|
|
|
|
elif select[0] in ( "Q", "q" ):
|
|
|
|
return "Quit"
|
|
|
|
|
|
|
|
else:
|
2010-03-27 02:23:25 +03:00
|
|
|
warnMsg = "invalid choice, retry"
|
2008-10-15 19:38:22 +04:00
|
|
|
logger.warn(warnMsg)
|
|
|
|
__selectInjection(injData)
|
|
|
|
|
|
|
|
return injData[index]
|
|
|
|
|
|
|
|
def start():
|
|
|
|
"""
|
|
|
|
This function calls a function that performs checks on both URL
|
|
|
|
stability and all GET, POST, Cookie and User-Agent parameters to
|
|
|
|
check if they are dynamic and SQL injection affected
|
|
|
|
"""
|
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if not conf.start:
|
2010-09-26 18:56:55 +04:00
|
|
|
return False
|
2010-03-16 15:14:02 +03:00
|
|
|
|
2010-09-16 14:12:53 +04:00
|
|
|
if conf.optimize:
|
2010-09-16 14:41:52 +04:00
|
|
|
conf.useCommonPrediction = conf.useNullConnection = conf.keepAlive = True
|
2010-09-16 14:12:53 +04:00
|
|
|
|
2010-03-27 02:23:25 +03:00
|
|
|
if conf.direct:
|
|
|
|
initTargetEnv()
|
|
|
|
setupTargetEnv()
|
|
|
|
action()
|
2010-09-26 18:56:55 +04:00
|
|
|
return True
|
2010-03-27 02:23:25 +03:00
|
|
|
|
2008-10-15 19:38:22 +04:00
|
|
|
if conf.url:
|
2008-11-28 01:33:33 +03:00
|
|
|
kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie ))
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
if conf.configFile and not kb.targetUrls:
|
|
|
|
errMsg = "you did not edit the configuration file properly, set "
|
2008-11-20 20:56:09 +03:00
|
|
|
errMsg += "the target url, list of targets or google dork"
|
2008-10-15 19:38:22 +04:00
|
|
|
logger.error(errMsg)
|
2010-09-26 18:56:55 +04:00
|
|
|
return False
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2008-11-28 01:33:33 +03:00
|
|
|
if kb.targetUrls and len(kb.targetUrls) > 1:
|
|
|
|
infoMsg = "sqlmap got a total of %d targets" % len(kb.targetUrls)
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
2010-03-27 02:23:25 +03:00
|
|
|
hostCount = 0
|
|
|
|
cookieStr = ""
|
|
|
|
setCookieAsInjectable = True
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2008-11-28 01:33:33 +03:00
|
|
|
for targetUrl, targetMethod, targetData, targetCookie in kb.targetUrls:
|
2010-03-16 15:14:02 +03:00
|
|
|
try:
|
|
|
|
conf.url = targetUrl
|
|
|
|
conf.method = targetMethod
|
|
|
|
conf.data = targetData
|
|
|
|
conf.cookie = targetCookie
|
|
|
|
injData = []
|
|
|
|
|
|
|
|
if conf.multipleTargets:
|
|
|
|
hostCount += 1
|
|
|
|
message = "url %d:\n%s %s" % (hostCount, conf.method or "GET", targetUrl)
|
2008-11-28 01:33:33 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if conf.cookie:
|
|
|
|
message += "\nCookie: %s" % conf.cookie
|
2008-11-28 01:33:33 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if conf.data:
|
|
|
|
message += "\nPOST data: %s" % conf.data
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
message += "\ndo you want to test this url? [Y/n/q]"
|
|
|
|
test = readInput(message, default="Y")
|
2008-11-28 01:33:33 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if not test:
|
|
|
|
pass
|
|
|
|
elif test[0] in ("n", "N"):
|
|
|
|
continue
|
|
|
|
elif test[0] in ("q", "Q"):
|
|
|
|
break
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
logMsg = "testing url %s" % targetUrl
|
|
|
|
logger.info(logMsg)
|
2010-03-16 18:21:42 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
initTargetEnv()
|
|
|
|
parseTargetUrl()
|
|
|
|
setupTargetEnv()
|
|
|
|
|
|
|
|
if not checkConnection() or not checkString() or not checkRegexp():
|
2008-10-15 19:38:22 +04:00
|
|
|
continue
|
|
|
|
|
2010-09-16 14:01:33 +04:00
|
|
|
if conf.useNullConnection:
|
|
|
|
checkNullConnection()
|
2010-09-16 12:43:10 +04:00
|
|
|
|
2010-09-26 18:02:13 +04:00
|
|
|
if not conf.dropSetCookie and conf.cj:
|
2010-03-16 15:14:02 +03:00
|
|
|
for _, cookie in enumerate(conf.cj):
|
2010-06-02 16:45:40 +04:00
|
|
|
cookie = getUnicode(cookie)
|
2010-03-16 15:14:02 +03:00
|
|
|
index = cookie.index(" for ")
|
2010-03-16 18:21:42 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
cookieStr += "%s;" % cookie[8:index]
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if cookieStr:
|
|
|
|
cookieStr = cookieStr[:-1]
|
2010-03-16 18:21:42 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if "Cookie" in conf.parameters:
|
|
|
|
message = "you provided an HTTP Cookie header value. "
|
|
|
|
message += "The target url provided its own Cookie within "
|
|
|
|
message += "the HTTP Set-Cookie header. Do you want to "
|
|
|
|
message += "continue using the HTTP Cookie values that "
|
|
|
|
message += "you provided? [Y/n] "
|
|
|
|
test = readInput(message, default="Y")
|
2010-03-16 18:21:42 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if not test or test[0] in ("y", "Y"):
|
|
|
|
setCookieAsInjectable = False
|
2010-03-16 18:21:42 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if setCookieAsInjectable:
|
|
|
|
conf.httpHeaders.append(("Cookie", cookieStr))
|
|
|
|
conf.parameters["Cookie"] = cookieStr
|
|
|
|
__paramDict = paramToDict("Cookie", cookieStr)
|
2010-03-16 18:21:42 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if __paramDict:
|
|
|
|
conf.paramDict["Cookie"] = __paramDict
|
2010-03-21 03:39:44 +03:00
|
|
|
# TODO: consider the following line in __setRequestParams()
|
2010-03-16 15:14:02 +03:00
|
|
|
__testableParameters = True
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if not kb.injPlace or not kb.injParameter or not kb.injType:
|
|
|
|
if not conf.string and not conf.regexp and not conf.eRegexp:
|
|
|
|
# NOTE: this is not needed anymore, leaving only to display
|
|
|
|
# a warning message to the user in case the page is not stable
|
|
|
|
checkStability()
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
for place in conf.parameters.keys():
|
|
|
|
if not conf.paramDict.has_key(place):
|
|
|
|
continue
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
paramDict = conf.paramDict[place]
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
for parameter, value in paramDict.items():
|
|
|
|
testSqlInj = True
|
2010-07-30 00:01:04 +04:00
|
|
|
paramKey = (conf.hostname, place, parameter)
|
2010-03-16 15:14:02 +03:00
|
|
|
|
2010-07-30 00:01:04 +04:00
|
|
|
if paramKey in kb.testedParams:
|
|
|
|
warnMsg = "skipping previously processed %s parameter '%s'" % (place, parameter)
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
testSqlInj = False
|
2010-03-16 15:14:02 +03:00
|
|
|
# Avoid dinamicity test if the user provided the
|
|
|
|
# parameter manually
|
2010-07-30 00:01:04 +04:00
|
|
|
elif parameter in conf.testParameter:
|
2010-03-16 15:14:02 +03:00
|
|
|
pass
|
|
|
|
elif not checkDynParam(place, parameter, value):
|
|
|
|
warnMsg = "%s parameter '%s' is not dynamic" % (place, parameter)
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
testSqlInj = False
|
|
|
|
else:
|
|
|
|
logMsg = "%s parameter '%s' is dynamic" % (place, parameter)
|
2008-10-15 19:38:22 +04:00
|
|
|
logger.info(logMsg)
|
|
|
|
|
2010-07-30 00:01:04 +04:00
|
|
|
kb.testedParams.add(paramKey)
|
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if testSqlInj:
|
|
|
|
for parenthesis in range(0, 4):
|
|
|
|
logMsg = "testing sql injection on %s " % place
|
|
|
|
logMsg += "parameter '%s' with " % parameter
|
|
|
|
logMsg += "%d parenthesis" % parenthesis
|
|
|
|
logger.info(logMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
injType = checkSqlInjection(place, parameter, value, parenthesis)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if injType:
|
|
|
|
injData.append((place, parameter, injType))
|
2008-11-28 01:33:33 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
break
|
|
|
|
else:
|
|
|
|
infoMsg = "%s parameter '%s' is not " % (place, parameter)
|
|
|
|
infoMsg += "injectable with %d parenthesis" % parenthesis
|
|
|
|
logger.info(infoMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if not injData:
|
|
|
|
warnMsg = "%s parameter '%s' is not " % (place, parameter)
|
|
|
|
warnMsg += "injectable"
|
|
|
|
logger.warn(warnMsg)
|
2008-11-22 04:57:22 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if not kb.injPlace or not kb.injParameter or not kb.injType:
|
|
|
|
if len(injData) == 1:
|
|
|
|
injDataSelected = injData[0]
|
2008-11-22 04:57:22 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
elif len(injData) > 1:
|
|
|
|
injDataSelected = __selectInjection(injData)
|
2008-11-22 04:57:22 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
else:
|
|
|
|
raise sqlmapNotVulnerableException, "all parameters are not injectable"
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if injDataSelected == "Quit":
|
|
|
|
return
|
2008-11-22 04:57:22 +03:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
else:
|
|
|
|
kb.injPlace, kb.injParameter, kb.injType = injDataSelected
|
|
|
|
setInjection()
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 17:30:57 +03:00
|
|
|
if kb.injPlace and kb.injParameter and kb.injType:
|
2010-03-16 15:14:02 +03:00
|
|
|
if conf.multipleTargets:
|
|
|
|
message = "do you want to exploit this SQL injection? [Y/n] "
|
|
|
|
exploit = readInput(message, default="Y")
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
condition = not exploit or exploit[0] in ("y", "Y")
|
|
|
|
else:
|
|
|
|
condition = True
|
|
|
|
|
|
|
|
if condition:
|
|
|
|
checkForParenthesis()
|
|
|
|
action()
|
|
|
|
|
2010-09-30 23:45:23 +04:00
|
|
|
except sqlmapUserQuitException:
|
|
|
|
raise
|
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
except exceptionsTuple, e:
|
2010-06-02 16:45:40 +04:00
|
|
|
e = getUnicode(e)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-16 15:14:02 +03:00
|
|
|
if conf.multipleTargets:
|
|
|
|
e += ", skipping to next url"
|
|
|
|
logger.error(e)
|
|
|
|
else:
|
2010-09-27 17:41:18 +04:00
|
|
|
logger.critical(e)
|
2010-09-26 18:56:55 +04:00
|
|
|
return False
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
if conf.loggedToOut:
|
|
|
|
logger.info("Fetched data logged to text files under '%s'" % conf.outputPath)
|
2010-09-26 18:56:55 +04:00
|
|
|
|
|
|
|
return True
|