sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
68e08d2749
sqlmap/lib/core/target.py

418 lines
14 KiB
Python
Raw Normal View History

After the storm, a restore..
2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
propsets..
2008-10-15 19:56:32 +04:00
$Id$
After the storm, a restore..
2008-10-15 19:38:22 +04:00
updating copyright date
2012-01-11 18:59:46 +04:00
Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
sorry, cosmetics
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
added support for proper unicode session(s) storage/retrieval
2010-05-24 15:00:49 +04:00
import codecs
After the storm, a restore..
2008-10-15 19:38:22 +04:00
import os
Added support for SOAP requests: fixed, extended and tested a user's patch - closes #196.
2010-06-30 01:07:23 +04:00
import re
fix for a "bug" reported by Spencer J. McIntyre (os.makedirs(conf.outputPath, 0755) -> permission denied)
2010-12-09 00:16:18 +03:00
import tempfile
After the storm, a restore..
2008-10-15 19:38:22 +04:00
import time
from lib.core.common import dataToSessionFile
minor update
2012-02-25 14:43:10 +04:00
from lib.core.common import hashDBRetrieve
update regarding explicit testing of ua and referer when using -p
2011-02-14 00:58:48 +03:00
from lib.core.common import intersect
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import paramToDict
new feature --forms (still unfinished)
2010-10-10 22:56:43 +04:00
from lib.core.common import readInput
major bug fix reported by Ahmed Shawky (there was a possibility of double url encoding of parameter values)
2011-01-27 21:36:28 +03:00
from lib.core.convert import urldecode
important update regarding restoring of potentially changed switch values in multi-target mode and/or missing switch values in resume mode
2011-01-02 13:37:32 +03:00
from lib.core.data import cmdLineOptions
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
from lib.core.data import logger
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import paths
from lib.core.dump import dumper
some refactoring
2011-12-28 17:50:03 +04:00
from lib.core.enums import HASHDB_KEYS
further enum refactoring
2010-11-08 12:44:32 +03:00
from lib.core.enums import HTTPMETHOD
from lib.core.enums import PLACE
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.exception import sqlmapFilePathException
from lib.core.exception import sqlmapGenericException
from lib.core.exception import sqlmapSyntaxException
minor update
2011-05-08 10:17:43 +04:00
from lib.core.exception import sqlmapUserQuitException
bug fix
2010-12-18 13:02:01 +03:00
from lib.core.option import __setDBMS
when in multi target mode this should be done (another bug was reported by ToR for using "old" data - kb was not properly cleared)
2010-11-17 18:33:07 +03:00
from lib.core.option import __setKnowledgeBaseAttributes
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.session import resumeConfKb
adding support for scanning Host header values (-p host)
2011-12-20 16:52:41 +04:00
from lib.core.settings import HOST_ALIASES
update regarding explicit testing of ua and referer when using -p
2011-02-14 00:58:48 +03:00
from lib.core.settings import REFERER_ALIASES
introducing results file for multiple target mode
2011-05-16 02:21:38 +04:00
from lib.core.settings import RESULTS_FILE_FORMAT
minor refactoring and improving of used regex
2011-04-18 02:37:00 +04:00
from lib.core.settings import SOAP_REGEX
adding usage of non-encoded/decoded post data (if data is recognized to be already encoded) by user request
2011-10-25 13:53:44 +04:00
from lib.core.settings import UNENCODED_ORIGINAL_VALUE
refactoring
2011-01-30 14:36:03 +03:00
from lib.core.settings import UNICODE_ENCODING
update (now URIs like www.site.com/id82 are automatically treated as possible URI injectable)
2011-01-31 23:36:01 +03:00
from lib.core.settings import URI_INJECTABLE_REGEX
little clean up
2011-02-04 15:25:14 +03:00
from lib.core.settings import URI_INJECTION_MARK_CHAR
update regarding explicit testing of ua and referer when using -p
2011-02-14 00:58:48 +03:00
from lib.core.settings import USER_AGENT_ALIASES
switching to SQLite resume support (on error and union techniques this moment)
2011-09-26 00:36:32 +04:00
from lib.utils.hashdb import HashDB
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments.
2010-05-28 20:43:04 +04:00
from lib.core.xmldump import dumper as xmldumper
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def __setRequestParams():
"""
Check and set the parameters and perform checks on 'data' option for
HTTP method POST.
"""
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
if conf.direct:
conf.parameters[None] = "direct connection"
return
After the storm, a restore..
2008-10-15 19:38:22 +04:00
__testableParameters = False
# Perform checks on GET parameters
further enum refactoring
2010-11-08 12:44:32 +03:00
if conf.parameters.has_key(PLACE.GET) and conf.parameters[PLACE.GET]:
parameters = conf.parameters[PLACE.GET]
__paramDict = paramToDict(PLACE.GET, parameters)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if __paramDict:
further enum refactoring
2010-11-08 12:44:32 +03:00
conf.paramDict[PLACE.GET] = __paramDict
After the storm, a restore..
2008-10-15 19:38:22 +04:00
__testableParameters = True
# Perform checks on POST parameters
further enum refactoring
2010-11-08 12:44:32 +03:00
if conf.method == HTTPMETHOD.POST and not conf.data:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
errMsg = "HTTP POST method depends on HTTP data value to be posted"
raise sqlmapSyntaxException, errMsg
if conf.data:
adding usage of non-encoded/decoded post data (if data is recognized to be already encoded) by user request
2011-10-25 13:53:44 +04:00
if hasattr(conf.data, UNENCODED_ORIGINAL_VALUE):
original = getattr(conf.data, UNENCODED_ORIGINAL_VALUE)
conf.data = type(conf.data)(conf.data.replace("\n", " "))
setattr(conf.data, UNENCODED_ORIGINAL_VALUE, original)
else:
conf.data = conf.data.replace("\n", " ")
Added support for SOAP requests: fixed, extended and tested a user's patch - closes #196.
2010-06-30 01:07:23 +04:00
# Check if POST data is in xml syntax
minor refactoring and improving of used regex
2011-04-18 02:37:00 +04:00
if re.match(SOAP_REGEX, conf.data, re.I | re.M):
SOAP refactoring
2011-04-18 01:39:00 +04:00
place = PLACE.SOAP
Added support for SOAP requests: fixed, extended and tested a user's patch - closes #196.
2010-06-30 01:07:23 +04:00
else:
SOAP refactoring
2011-04-18 01:39:00 +04:00
place = PLACE.POST
conf.parameters[place] = conf.data
__paramDict = paramToDict(place, conf.data)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if __paramDict:
SOAP refactoring
2011-04-18 01:39:00 +04:00
conf.paramDict[place] = __paramDict
After the storm, a restore..
2008-10-15 19:38:22 +04:00
__testableParameters = True
further enum refactoring
2010-11-08 12:44:32 +03:00
conf.method = HTTPMETHOD.POST
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
minor update related to the previous commit
2011-05-08 10:28:58 +04:00
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(map(lambda place: place in conf.parameters, [PLACE.GET, PLACE.POST])):
warnMsg = "you've provided target url without any GET "
warnMsg += "parameters (e.g. www.site.com/article.php?id=1) "
warnMsg += "and without providing any POST parameters "
warnMsg += "through --data option"
minor update
2011-05-08 10:17:43 +04:00
logger.warn(warnMsg)
message = "do you want to try URI injections "
message += "in the target url itself? [Y/n/q] "
test = readInput(message, default="Y")
if not test or test[0] in ("y", "Y"):
conf.url = "%s%s" % (conf.url, URI_INJECTION_MARK_CHAR)
elif test[0] in ("n", "N"):
pass
elif test[0] in ("q", "Q"):
raise sqlmapUserQuitException
update (now URIs like www.site.com/id82 are automatically treated as possible URI injectable)
2011-01-31 23:36:01 +03:00
minor refactoring
2011-02-04 16:04:19 +03:00
if URI_INJECTION_MARK_CHAR in conf.url:
further enum refactoring
2010-11-08 12:44:32 +03:00
conf.parameters[PLACE.URI] = conf.url
conf.paramDict[PLACE.URI] = {}
minor refactoring
2011-02-04 16:04:19 +03:00
parts = conf.url.split(URI_INJECTION_MARK_CHAR)
Cosmetics and major bug fix
2011-04-22 01:15:23 +04:00
some minor range to xrange conversion (where safe to do)
2011-10-22 02:34:27 +04:00
for i in xrange(len(parts)-1):
more changes regarding path (URI) injection
2010-09-24 13:19:14 +04:00
result = str()
Cosmetics and major bug fix
2011-04-22 01:15:23 +04:00
some minor range to xrange conversion (where safe to do)
2011-10-22 02:34:27 +04:00
for j in xrange(len(parts)):
more changes regarding path (URI) injection
2010-09-24 13:19:14 +04:00
result += parts[j]
Cosmetics and major bug fix
2011-04-22 01:15:23 +04:00
more changes regarding path (URI) injection
2010-09-24 13:19:14 +04:00
if i == j:
minor refactoring
2011-02-04 16:04:19 +03:00
result += URI_INJECTION_MARK_CHAR
Cosmetics and major bug fix
2011-04-22 01:15:23 +04:00
minor refactoring
2011-02-04 16:04:19 +03:00
conf.paramDict[PLACE.URI]["#%d%s" % (i+1, URI_INJECTION_MARK_CHAR)] = result
Cosmetics and major bug fix
2011-04-22 01:15:23 +04:00
minor refactoring
2011-02-04 16:04:19 +03:00
conf.url = conf.url.replace(URI_INJECTION_MARK_CHAR, str())
first commit regarding Feature #144
2010-09-22 15:56:35 +04:00
__testableParameters = True
After the storm, a restore..
2008-10-15 19:38:22 +04:00
# Perform checks on Cookie parameters
if conf.cookie:
further enum refactoring
2010-11-08 12:44:32 +03:00
conf.parameters[PLACE.COOKIE] = conf.cookie
__paramDict = paramToDict(PLACE.COOKIE, conf.cookie)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if __paramDict:
further enum refactoring
2010-11-08 12:44:32 +03:00
conf.paramDict[PLACE.COOKIE] = __paramDict
After the storm, a restore..
2008-10-15 19:38:22 +04:00
__testableParameters = True
adding support for scanning Host header values (-p host)
2011-12-20 16:52:41 +04:00
# Perform checks on header values
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if conf.httpHeaders:
for httpHeader, headerValue in conf.httpHeaders:
More replacements for refactoring. Minor layout adjustments. Alignment of conffile/optiondict/cmdline parameters.
2010-11-08 15:36:48 +03:00
if httpHeader == PLACE.UA:
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
# No need for url encoding/decoding the user agent
major bug fix reported by Ahmed Shawky (there was a possibility of double url encoding of parameter values)
2011-01-27 21:36:28 +03:00
conf.parameters[PLACE.UA] = urldecode(headerValue)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
minor optimization
2011-11-21 00:14:47 +04:00
condition = any((not conf.testParameter, intersect(conf.testParameter, USER_AGENT_ALIASES)))
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if condition:
further enum refactoring
2010-11-08 12:44:32 +03:00
conf.paramDict[PLACE.UA] = { PLACE.UA: headerValue }
After the storm, a restore..
2008-10-15 19:38:22 +04:00
__testableParameters = True
implementation of referer feature
2011-02-12 02:07:03 +03:00
elif httpHeader == PLACE.REFERER:
# No need for url encoding/decoding the referer
conf.parameters[PLACE.REFERER] = urldecode(headerValue)
minor optimization
2011-11-21 00:14:47 +04:00
condition = any((not conf.testParameter, intersect(conf.testParameter, REFERER_ALIASES)))
implementation of referer feature
2011-02-12 02:07:03 +03:00
if condition:
conf.paramDict[PLACE.REFERER] = { PLACE.REFERER: headerValue }
__testableParameters = True
adding support for scanning Host header values (-p host)
2011-12-20 16:52:41 +04:00
elif httpHeader == PLACE.HOST:
# No need for url encoding/decoding the host
conf.parameters[PLACE.HOST] = urldecode(headerValue)
condition = any((not conf.testParameter, intersect(conf.testParameter, HOST_ALIASES)))
if condition:
conf.paramDict[PLACE.HOST] = { PLACE.HOST: headerValue }
__testableParameters = True
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if not conf.parameters:
Minor code restyling
2011-04-30 17:20:05 +04:00
errMsg = "you did not provide any GET, POST and Cookie "
adding support for scanning Host header values (-p host)
2011-12-20 16:52:41 +04:00
errMsg += "parameter, neither an User-Agent, Referer or Host header value"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
raise sqlmapGenericException, errMsg
elif not __testableParameters:
Minor code restyling
2011-04-30 17:20:05 +04:00
errMsg = "all testable parameters you provided are not present "
After the storm, a restore..
2008-10-15 19:38:22 +04:00
errMsg += "within the GET, POST and Cookie parameters"
raise sqlmapGenericException, errMsg
minor fix
2011-09-26 17:01:43 +04:00
def __setHashDB():
"""
Check and set the HashDB SQLite file for query resume functionality.
"""
speed optimization and bug fix (kb.absFilePaths were not stored previously; also, they are now extracted only in heuristic phase)
2011-11-22 12:39:13 +04:00
minor fix
2011-09-26 17:01:43 +04:00
if not conf.hashDBFile:
conf.hashDBFile = "%s%shashdb" % (conf.outputPath, os.sep)
if os.path.exists(conf.hashDBFile):
if conf.flushSession:
try:
os.remove(conf.hashDBFile)
logger.info("flushing query storage file")
except OSError, msg:
errMsg = "unable to flush the hashdb file (%s)" % msg
raise sqlmapFilePathException, errMsg
conf.hashDB = HashDB(conf.hashDBFile)
speed optimization and bug fix (kb.absFilePaths were not stored previously; also, they are now extracted only in heuristic phase)
2011-11-22 12:39:13 +04:00
def __resumeHashDBValues():
"""
Resume stored data values from HashDB
"""
minor update
2012-02-25 14:43:10 +04:00
kb.absFilePaths = hashDBRetrieve(HASHDB_KEYS.KB_ABS_FILE_PATHS, True) or kb.absFilePaths
kb.chars = hashDBRetrieve(HASHDB_KEYS.KB_CHARS, True) or kb.chars
kb.brute.tables = hashDBRetrieve(HASHDB_KEYS.KB_BRUTE_TABLES, True) or kb.brute.tables
kb.brute.columns = hashDBRetrieve(HASHDB_KEYS.KB_BRUTE_COLUMNS, True) or kb.brute.columns
minor bug fix
2012-02-26 02:54:32 +04:00
kb.xpCmdshellAvailable = hashDBRetrieve(HASHDB_KEYS.KB_XP_CMDSHELL_AVAILABLE) or kb.xpCmdshellAvailable
minor update
2012-02-25 14:43:10 +04:00
conf.tmpPath = conf.tmpPath or hashDBRetrieve(HASHDB_KEYS.CONF_TMP_PATH)
speed optimization and bug fix (kb.absFilePaths were not stored previously; also, they are now extracted only in heuristic phase)
2011-11-22 12:39:13 +04:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def __setOutputResume():
"""
Check and set the output text file and the resume functionality.
"""
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
if not conf.sessionFile:
conf.sessionFile = "%s%ssession" % (conf.outputPath, os.sep)
logger.info("using '%s' as session file" % conf.sessionFile)
if os.path.exists(conf.sessionFile):
added new option --flush-session
2010-03-04 16:01:18 +03:00
if not conf.flushSession:
minor patch
2011-12-03 16:11:46 +04:00
try:
readSessionFP = codecs.open(conf.sessionFile, "r", UNICODE_ENCODING, 'replace')
__url_cache = set()
__expression_cache = {}
Added resume functionality to -d and fixed logging with -d
2010-04-12 13:35:20 +04:00
minor patch
2011-12-03 16:11:46 +04:00
for line in readSessionFP.readlines(): # xreadlines doesn't return unicode strings when codec.open() is used
if line.count("][") == 4:
line = line.split("][")
Added resume functionality to -d and fixed logging with -d
2010-04-12 13:35:20 +04:00
minor patch
2011-12-03 16:11:46 +04:00
if len(line) != 5:
continue
removed all trailing spaces from blank lines
2010-11-03 13:08:27 +03:00
minor patch
2011-12-03 16:11:46 +04:00
url, _, _, expression, value = line
removed all trailing spaces from blank lines
2010-11-03 13:08:27 +03:00
minor patch
2011-12-03 16:11:46 +04:00
if not value:
continue
removed all trailing spaces from blank lines
2010-11-03 13:08:27 +03:00
minor patch
2011-12-03 16:11:46 +04:00
if url[0] == "[":
url = url[1:]
Added resume functionality to -d and fixed logging with -d
2010-04-12 13:35:20 +04:00
minor patch
2011-12-03 16:11:46 +04:00
value = value.rstrip('\r\n') # Strips both chars independently
Added resume functionality to -d and fixed logging with -d
2010-04-12 13:35:20 +04:00
minor patch
2011-12-03 16:11:46 +04:00
if url not in ( conf.url, conf.hostname ):
continue
removed all trailing spaces from blank lines
2010-11-03 13:08:27 +03:00
minor patch
2011-12-03 16:11:46 +04:00
if url not in __url_cache:
kb.resumedQueries[url] = {}
kb.resumedQueries[url][expression] = value
__url_cache.add(url)
__expression_cache[url] = set(expression)
removed all trailing spaces from blank lines
2010-11-03 13:08:27 +03:00
minor patch
2011-12-03 16:11:46 +04:00
resumeConfKb(expression, url, value)
speedup of initial session file handling
2010-05-11 17:36:30 +04:00
minor patch
2011-12-03 16:11:46 +04:00
if expression not in __expression_cache[url]:
kb.resumedQueries[url][expression] = value
__expression_cache[url].add(value)
elif len(value) >= len(kb.resumedQueries[url][expression]):
kb.resumedQueries[url][expression] = value
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2010-12-01 01:40:25 +03:00
minor patch
2011-12-03 16:11:46 +04:00
if kb.injection.place is not None and kb.injection.parameter is not None:
kb.injections.append(kb.injection)
except IOError, msg:
errMsg = "unable to properly open the session file (%s)" % msg
raise sqlmapFilePathException, errMsg
else:
readSessionFP.close()
added new option --flush-session
2010-03-04 16:01:18 +03:00
else:
try:
os.remove(conf.sessionFile)
logger.info("flushing session file")
except OSError, msg:
errMsg = "unable to flush the session file (%s)" % msg
raise sqlmapFilePathException, errMsg
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
try:
refactoring
2011-01-30 14:36:03 +03:00
conf.sessionFP = codecs.open(conf.sessionFile, "a", UNICODE_ENCODING)
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
dataToSessionFile("\n[%s]\n" % time.strftime("%X %x"))
except IOError:
errMsg = "unable to write on the session file specified"
raise sqlmapFilePathException, errMsg
After the storm, a restore..
2008-10-15 19:38:22 +04:00
introducing results file for multiple target mode
2011-05-16 02:21:38 +04:00
def __setResultsFile():
"""
removing of unused imports together with some general code refactoring
2012-02-22 14:40:11 +04:00
Create results file for storing results of running in a
introducing results file for multiple target mode
2011-05-16 02:21:38 +04:00
multiple target mode.
"""
if not conf.multipleTargets:
return
if not conf.resultsFP:
conf.resultsFilename = "%s%s%s" % (paths.SQLMAP_OUTPUT_PATH, os.sep, time.strftime(RESULTS_FILE_FORMAT).lower())
conf.resultsFP = codecs.open(conf.resultsFilename, "w+", UNICODE_ENCODING)
conf.resultsFP.writelines("Target url,Place,Parameter,Techniques%s" % os.linesep)
logger.info("using '%s' as results file" % conf.resultsFilename)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def __createFilesDir():
"""
Create the file directory.
"""
if not conf.rFile:
return
conf.filePath = paths.SQLMAP_FILES_PATH % conf.hostname
if not os.path.isdir(conf.filePath):
os.makedirs(conf.filePath, 0755)
def __createDumpDir():
"""
Create the dump directory.
"""
Minor bug fix
2010-06-02 15:01:41 +04:00
if not conf.dumpTable and not conf.dumpAll and not conf.search:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return
conf.dumpPath = paths.SQLMAP_DUMP_PATH % conf.hostname
if not os.path.isdir(conf.dumpPath):
os.makedirs(conf.dumpPath, 0755)
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments.
2010-05-28 20:43:04 +04:00
def __configureDumper():
Hide switch -x (XML output format) as it is incomplete and bugged and won't make it for 0.9 stable
2011-02-27 15:17:41 +03:00
if hasattr(conf, 'xmlFile') and conf.xmlFile:
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments.
2010-05-28 20:43:04 +04:00
conf.dumper = xmldumper
else:
conf.dumper = dumper
conf.dumper.setOutputFile()
minor cosmetic update
2010-03-15 14:55:13 +03:00
def __createTargetDirs():
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
"""
Create the output directory.
"""
if not os.path.isdir(paths.SQLMAP_OUTPUT_PATH):
fix for a "bug" reported by Spencer J. McIntyre (os.makedirs(conf.outputPath, 0755) -> permission denied)
2010-12-09 00:16:18 +03:00
try:
os.makedirs(paths.SQLMAP_OUTPUT_PATH, 0755)
cosmetics
2010-12-09 12:24:20 +03:00
except OSError, msg:
fix for a "bug" reported by Spencer J. McIntyre (os.makedirs(conf.outputPath, 0755) -> permission denied)
2010-12-09 00:16:18 +03:00
tempDir = tempfile.mkdtemp(prefix='output')
cosmetics
2010-12-09 12:24:20 +03:00
warnMsg = "unable to create default root output directory "
warnMsg += "'%s' (%s). " % (paths.SQLMAP_OUTPUT_PATH, msg)
warnMsg += "using temporary directory '%s' instead" % tempDir
fix for a "bug" reported by Spencer J. McIntyre (os.makedirs(conf.outputPath, 0755) -> permission denied)
2010-12-09 00:16:18 +03:00
logger.warn(warnMsg)
paths.SQLMAP_OUTPUT_PATH = tempDir
conf.outputPath = "%s%s%s" % (paths.SQLMAP_OUTPUT_PATH, os.sep, conf.hostname)
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
if not os.path.isdir(conf.outputPath):
fix for a "bug" reported by Spencer J. McIntyre (os.makedirs(conf.outputPath, 0755) -> permission denied)
2010-12-09 00:16:18 +03:00
try:
os.makedirs(conf.outputPath, 0755)
cosmetics
2010-12-09 12:24:20 +03:00
except OSError, msg:
fix for a "bug" reported by Spencer J. McIntyre (os.makedirs(conf.outputPath, 0755) -> permission denied)
2010-12-09 00:16:18 +03:00
tempDir = tempfile.mkdtemp(prefix='output')
cosmetics
2010-12-09 12:24:20 +03:00
warnMsg = "unable to create output directory "
warnMsg += "'%s' (%s). " % (conf.outputPath, msg)
fix for a "bug" reported by Spencer J. McIntyre (os.makedirs(conf.outputPath, 0755) -> permission denied)
2010-12-09 00:16:18 +03:00
warnMsg += "using temporary directory '%s' instead" % tempDir
logger.warn(warnMsg)
conf.outputPath = tempDir
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
__createDumpDir()
__createFilesDir()
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments.
2010-05-28 20:43:04 +04:00
__configureDumper()
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
important update regarding restoring of potentially changed switch values in multi-target mode and/or missing switch values in resume mode
2011-01-02 13:37:32 +03:00
def __restoreCmdLineOptions():
"""
removing of unused imports together with some general code refactoring
2012-02-22 14:40:11 +04:00
Restore command line options that could be possibly
important update regarding restoring of potentially changed switch values in multi-target mode and/or missing switch values in resume mode
2011-01-02 13:37:32 +03:00
changed during the testing of previous target.
"""
conf.regexp = cmdLineOptions.regexp
conf.string = cmdLineOptions.string
conf.textOnly = cmdLineOptions.textOnly
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def initTargetEnv():
"""
Initialize target environment.
"""
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation
2008-11-28 01:33:33 +03:00
if conf.multipleTargets:
we haven't closed session file for previous target which lead to potentially nasty problems in multi target mode
2011-01-20 20:53:49 +03:00
if conf.sessionFP:
conf.sessionFP.close()
switching to SQLite resume support (on error and union techniques this moment)
2011-09-26 00:36:32 +04:00
if conf.hashDB:
conf.hashDB.close()
Minor code restyling
2010-04-06 14:15:19 +04:00
if conf.cj:
fix for that update (conf.cj) problem mentioned by shiftzwei@gmail.com
2010-04-09 14:16:15 +04:00
conf.cj.clear()
Minor code restyling
2010-04-06 14:15:19 +04:00
Minor code restyling
2011-04-30 17:20:05 +04:00
conf.paramDict = {}
conf.parameters = {}
conf.sessionFile = None
switching to SQLite resume support (on error and union techniques this moment)
2011-09-26 00:36:32 +04:00
conf.hashDBFile = None
more update regarding error based injection support
2010-10-19 22:17:34 +04:00
bug fix
2010-12-18 13:02:01 +03:00
__setKnowledgeBaseAttributes(False)
important update regarding restoring of potentially changed switch values in multi-target mode and/or missing switch values in resume mode
2011-01-02 13:37:32 +03:00
__restoreCmdLineOptions()
bug fix
2010-12-18 13:02:01 +03:00
__setDBMS()
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation
2008-11-28 01:33:33 +03:00
fix for Issue #170
2010-03-15 14:33:34 +03:00
def setupTargetEnv():
minor cosmetic update
2010-03-15 14:55:13 +03:00
__createTargetDirs()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
__setRequestParams()
__setOutputResume()
minor fix
2011-09-26 17:01:43 +04:00
__setHashDB()
speed optimization and bug fix (kb.absFilePaths were not stored previously; also, they are now extracted only in heuristic phase)
2011-11-22 12:39:13 +04:00
__resumeHashDBValues()
introducing results file for multiple target mode
2011-05-16 02:21:38 +04:00
__setResultsFile()
Reference in New Issue Copy Permalink