sqlmap/lib/controller/controller.py

#!/usr/bin/env python

"""
$Id$

This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.

sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
details.

You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
"""

from lib.controller.action import action
from lib.controller.checks import checkSqlInjection
from lib.controller.checks import checkDynParam
from lib.controller.checks import checkStability
from lib.controller.checks import checkString
from lib.controller.checks import checkRegexp
from lib.controller.checks import checkConnection
from lib.core.common import paramToDict
from lib.core.common import parseTargetUrl
from lib.core.common import readInput
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.exception import sqlmapNotVulnerableException
from lib.core.session import setInjection
from lib.core.target import initTargetEnv
from lib.core.target import setupTargetEnv
from lib.utils.parenthesis import checkForParenthesis

def __selectInjection(injData):
    """
    Selection function for injection place, parameters and type.
    """

    message  = "there were multiple injection points, please select the "
    message += "one to use to go ahead:\n"

    for i in xrange(0, len(injData)):
        injPlace     = injData[i][0]
        injParameter = injData[i][1]
        injType      = injData[i][2]

        message += "[%d] place: %s, parameter: " % (i, injPlace)
        message += "%s, type: %s" % (injParameter, injType)

        if i == 0:
            message += " (default)"

        message += "\n"

    message += "[q] Quit"
    select   = readInput(message, default="0")

    if not select:
        index = 0

    elif select.isdigit() and int(select) < len(injData) and int(select) >= 0:
        index = int(select)

    elif select[0] in ( "Q", "q" ):
        return "Quit"

    else:
        warnMsg = "Invalid choice, retry"
        logger.warn(warnMsg)
        __selectInjection(injData)

    return injData[index]

def start():
    """
    This function calls a function that performs checks on both URL
    stability and all GET, POST, Cookie and User-Agent parameters to
    check if they are dynamic and SQL injection affected
    """

    if conf.url:
        kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie ))

    if conf.configFile and not kb.targetUrls:
        errMsg  = "you did not edit the configuration file properly, set "
        errMsg += "the target url, list of targets or google dork"
        logger.error(errMsg)

    if kb.targetUrls and len(kb.targetUrls) > 1:
        infoMsg = "sqlmap got a total of %d targets" % len(kb.targetUrls)
        logger.info(infoMsg)

    hostCount               = 0
    cookieStr               = ""
    setCookieAsInjectable   = True

    for targetUrl, targetMethod, targetData, targetCookie in kb.targetUrls:
        conf.url    = targetUrl
        conf.method = targetMethod
        conf.data   = targetData
        conf.cookie = targetCookie
        injData     = []

        if conf.multipleTargets:
            hostCount += 1
            message = "url %d:\n%s %s" % (hostCount, conf.method or "GET", targetUrl)

            if conf.cookie:
                message += "\nCookie: %s" % conf.cookie

            if conf.data:
                message += "\nPOST data: %s" % conf.data

            message += "\ndo you want to test this url? [Y/n/q]"
            test = readInput(message, default="Y")

            if not test:
                pass
            elif test[0] in ("n", "N"):
                continue
            elif test[0] in ("q", "Q"):
                break

            logMsg = "testing url %s" % targetUrl
            logger.info(logMsg)
        
        initTargetEnv()
        parseTargetUrl()
        setupTargetEnv()

        if not checkConnection() or not checkString() or not checkRegexp():
            continue

        if not conf.dropSetCookie:
            for _, cookie in enumerate(conf.cj):
                cookie = str(cookie)
                index  = cookie.index(" for ")
    
                cookieStr += "%s;" % cookie[8:index]

            if cookieStr:
                cookieStr = cookieStr[:-1]
    
                if "Cookie" in conf.parameters:
                    message  = "you provided an HTTP Cookie header value. "
                    message += "The target url provided its own Cookie within "
                    message += "the HTTP Set-Cookie header. Do you want to "
                    message += "continue using the HTTP Cookie values that "
                    message += "you provided? [Y/n] "
                    test = readInput(message, default="Y")
    
                    if not test or test[0] in ("y", "Y"):
                        setCookieAsInjectable = False
    
                if setCookieAsInjectable:
                    conf.httpHeaders.append(("Cookie", cookieStr))
                    conf.parameters["Cookie"] = cookieStr
                    __paramDict = paramToDict("Cookie", cookieStr)
    
                    if __paramDict:
                        conf.paramDict["Cookie"] = __paramDict
                        __testableParameters = True

        if not kb.injPlace or not kb.injParameter or not kb.injType:
            if not conf.string and not conf.regexp and not conf.eRegexp:
                # NOTE: this is not needed anymore, leaving only to display
                # a warning message to the user in case the page is not stable
                checkStability()

            for place in conf.parameters.keys():
                if not conf.paramDict.has_key(place):
                    continue

                paramDict = conf.paramDict[place]

                for parameter, value in paramDict.items():
                    testSqlInj = True

                    # Avoid dinamicity test if the user provided the
                    # parameter manually
                    if parameter in conf.testParameter:
                        pass

                    elif not checkDynParam(place, parameter, value):
                        warnMsg = "%s parameter '%s' is not dynamic" % (place, parameter)
                        logger.warn(warnMsg)
                        testSqlInj = False

                    else:
                        logMsg = "%s parameter '%s' is dynamic" % (place, parameter)
                        logger.info(logMsg)

                    if testSqlInj:
                        for parenthesis in range(0, 4):
                            logMsg  = "testing sql injection on %s " % place
                            logMsg += "parameter '%s' with " % parameter
                            logMsg += "%d parenthesis" % parenthesis
                            logger.info(logMsg)

                            injType = checkSqlInjection(place, parameter, value, parenthesis)

                            if injType:
                                injData.append((place, parameter, injType))

                                break
                            else:
                                infoMsg  = "%s parameter '%s' is not " % (place, parameter)
                                infoMsg += "injectable with %d parenthesis" % parenthesis
                                logger.info(infoMsg)

                        if not injData:
                            warnMsg  = "%s parameter '%s' is not " % (place, parameter)
                            warnMsg += "injectable"
                            logger.warn(warnMsg)

        if not kb.injPlace or not kb.injParameter or not kb.injType:
            if len(injData) == 1:
                injDataSelected = injData[0]

            elif len(injData) > 1:
                injDataSelected = __selectInjection(injData)

            elif conf.multipleTargets:
                continue

            else:
                return

            if injDataSelected == "Quit":
                return

            else:
                kb.injPlace, kb.injParameter, kb.injType = injDataSelected
                setInjection()

        if not conf.multipleTargets and ( not kb.injPlace or not kb.injParameter or not kb.injType ):
            raise sqlmapNotVulnerableException, "all parameters are not injectable"
        elif kb.injPlace and kb.injParameter and kb.injType:
            if conf.multipleTargets:
                message = "do you want to exploit this SQL injection? [Y/n] "
                exploit = readInput(message, default="Y")

                condition = not exploit or exploit[0] in ("y", "Y")
            else:
                condition = True

            if condition:
                checkForParenthesis()
                action()

    if conf.loggedToOut:
        logger.info("Fetched data logged to text files under '%s'" % conf.outputPath)
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`This file is part of the sqlmap project, http://sqlmap.sourceforge.net.`

Updated copyright 2010-03-03 18:26:27 +03:00			`Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`sqlmap is free software; you can redistribute it and/or modify it under`
			`the terms of the GNU General Public License as published by the Free`
			`Software Foundation version 2 of the License.`

			`sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY`
			`WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
			`FOR A PARTICULAR PURPOSE. See the GNU General Public License for more`
			`details.`

			`You should have received a copy of the GNU General Public License along`
			`with sqlmap; if not, write to the Free Software Foundation, Inc., 51`
			`Franklin St, Fifth Floor, Boston, MA 02110-1301 USA`
			`"""`

			`from lib.controller.action import action`
			`from lib.controller.checks import checkSqlInjection`
			`from lib.controller.checks import checkDynParam`
			`from lib.controller.checks import checkStability`
			`from lib.controller.checks import checkString`
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3. 2008-12-12 22:06:31 +03:00			`from lib.controller.checks import checkRegexp`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.controller.checks import checkConnection`
			`from lib.core.common import paramToDict`
Minor bug fix 2010-03-05 18:25:53 +03:00			`from lib.core.common import parseTargetUrl`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.common import readInput`
			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
			`from lib.core.exception import sqlmapNotVulnerableException`
			`from lib.core.session import setInjection`
minor cosmetic update 2010-03-15 14:55:13 +03:00			`from lib.core.target import initTargetEnv`
			`from lib.core.target import setupTargetEnv`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.utils.parenthesis import checkForParenthesis`

			`def __selectInjection(injData):`
			`"""`
			`Selection function for injection place, parameters and type.`
			`"""`

			`message = "there were multiple injection points, please select the "`
			`message += "one to use to go ahead:\n"`

			`for i in xrange(0, len(injData)):`
Updated work on multiple targets support (works for WebScarab conversations/ folder, still to work out for Burp log file). Major bug fix in the controller library. 2008-11-22 04:57:22 +03:00			`injPlace = injData[i][0]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`injParameter = injData[i][1]`
Updated work on multiple targets support (works for WebScarab conversations/ folder, still to work out for Burp log file). Major bug fix in the controller library. 2008-11-22 04:57:22 +03:00			`injType = injData[i][2]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`message += "[%d] place: %s, parameter: " % (i, injPlace)`
			`message += "%s, type: %s" % (injParameter, injType)`

			`if i == 0:`
			`message += " (default)"`

			`message += "\n"`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`message += "[q] Quit"`
Updated work on multiple targets support (works for WebScarab conversations/ folder, still to work out for Burp log file). Major bug fix in the controller library. 2008-11-22 04:57:22 +03:00			`select = readInput(message, default="0")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if not select:`
			`index = 0`

			`elif select.isdigit() and int(select) < len(injData) and int(select) >= 0:`
			`index = int(select)`

			`elif select[0] in ( "Q", "q" ):`
			`return "Quit"`

			`else:`
			`warnMsg = "Invalid choice, retry"`
			`logger.warn(warnMsg)`
			`__selectInjection(injData)`

			`return injData[index]`

			`def start():`
			`"""`
			`This function calls a function that performs checks on both URL`
			`stability and all GET, POST, Cookie and User-Agent parameters to`
			`check if they are dynamic and SQL injection affected`
			`"""`

			`if conf.url:`
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00			`kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie ))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.configFile and not kb.targetUrls:`
			`errMsg = "you did not edit the configuration file properly, set "`
Adapted the code to support a list of targets from a text file (Burp log file) or from a directory (WebScarab conversations folder) with command line option -l. 2008-11-20 20:56:09 +03:00			`errMsg += "the target url, list of targets or google dork"`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`logger.error(errMsg)`

Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00			`if kb.targetUrls and len(kb.targetUrls) > 1:`
			`infoMsg = "sqlmap got a total of %d targets" % len(kb.targetUrls)`
			`logger.info(infoMsg)`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`hostCount = 0`
			`cookieStr = ""`
			`setCookieAsInjectable = True`

Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00			`for targetUrl, targetMethod, targetData, targetCookie in kb.targetUrls:`
			`conf.url = targetUrl`
			`conf.method = targetMethod`
			`conf.data = targetData`
			`conf.cookie = targetCookie`
			`injData = []`

Adapted the code to support a list of targets from a text file (Burp log file) or from a directory (WebScarab conversations folder) with command line option -l. 2008-11-20 20:56:09 +03:00			`if conf.multipleTargets:`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`hostCount += 1`
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3. 2008-12-12 22:06:31 +03:00			`message = "url %d:\n%s %s" % (hostCount, conf.method or "GET", targetUrl)`
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00
			`if conf.cookie:`
			`message += "\nCookie: %s" % conf.cookie`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00			`if conf.data:`
			`message += "\nPOST data: %s" % conf.data`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`message += "\ndo you want to test this url? [Y/n/q]"`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`test = readInput(message, default="Y")`

Adapted the code to support a list of targets from a text file (Burp log file) or from a directory (WebScarab conversations folder) with command line option -l. 2008-11-20 20:56:09 +03:00			`if not test:`
			`pass`
			`elif test[0] in ("n", "N"):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`continue`
			`elif test[0] in ("q", "Q"):`
			`break`

			`logMsg = "testing url %s" % targetUrl`
			`logger.info(logMsg)`
fix for Issue #170 2010-03-15 14:33:34 +03:00
			`initTargetEnv()`
Minor bug fix 2010-03-05 18:25:53 +03:00			`parseTargetUrl()`
fix for Issue #170 2010-03-15 14:33:34 +03:00			`setupTargetEnv()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3. 2008-12-12 22:06:31 +03:00			`if not checkConnection() or not checkString() or not checkRegexp():`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`continue`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if not conf.dropSetCookie:`
			`for _, cookie in enumerate(conf.cj):`
			`cookie = str(cookie)`
			`index = cookie.index(" for ")`

			`cookieStr += "%s;" % cookie[8:index]`

			`if cookieStr:`
			`cookieStr = cookieStr[:-1]`

			`if "Cookie" in conf.parameters:`
			`message = "you provided an HTTP Cookie header value. "`
			`message += "The target url provided its own Cookie within "`
			`message += "the HTTP Set-Cookie header. Do you want to "`
			`message += "continue using the HTTP Cookie values that "`
			`message += "you provided? [Y/n] "`
			`test = readInput(message, default="Y")`

			`if not test or test[0] in ("y", "Y"):`
			`setCookieAsInjectable = False`

			`if setCookieAsInjectable:`
changes regarding Data (GET/POST/Cookie) encoding (Bug #129) 2010-01-14 21:05:03 +03:00			`conf.httpHeaders.append(("Cookie", cookieStr))`
			`conf.parameters["Cookie"] = cookieStr`
			`__paramDict = paramToDict("Cookie", cookieStr)`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00
			`if __paramDict:`
			`conf.paramDict["Cookie"] = __paramDict`
			`__testableParameters = True`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if not kb.injPlace or not kb.injParameter or not kb.injType:`
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3. 2008-12-12 22:06:31 +03:00			`if not conf.string and not conf.regexp and not conf.eRegexp:`
Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib SequenceMatcher object: this changed a lot into the structure of the code, has to be extensively beta-tested! Please, do report bugs on sqlmap-users mailing list if you scout them. Cheers, Bernardo 2008-12-20 04:54:08 +03:00			`# NOTE: this is not needed anymore, leaving only to display`
			`# a warning message to the user in case the page is not stable`
			`checkStability()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`for place in conf.parameters.keys():`
			`if not conf.paramDict.has_key(place):`
			`continue`

			`paramDict = conf.paramDict[place]`

			`for parameter, value in paramDict.items():`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`testSqlInj = True`

			`# Avoid dinamicity test if the user provided the`
			`# parameter manually`
			`if parameter in conf.testParameter:`
			`pass`

			`elif not checkDynParam(place, parameter, value):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`warnMsg = "%s parameter '%s' is not dynamic" % (place, parameter)`
			`logger.warn(warnMsg)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`testSqlInj = False`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`else:`
			`logMsg = "%s parameter '%s' is dynamic" % (place, parameter)`
			`logger.info(logMsg)`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if testSqlInj:`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`for parenthesis in range(0, 4):`
			`logMsg = "testing sql injection on %s " % place`
			`logMsg += "parameter '%s' with " % parameter`
			`logMsg += "%d parenthesis" % parenthesis`
			`logger.info(logMsg)`

			`injType = checkSqlInjection(place, parameter, value, parenthesis)`

			`if injType:`
			`injData.append((place, parameter, injType))`

			`break`
			`else:`
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00			`infoMsg = "%s parameter '%s' is not " % (place, parameter)`
			`infoMsg += "injectable with %d parenthesis" % parenthesis`
			`logger.info(infoMsg)`

			`if not injData:`
			`warnMsg = "%s parameter '%s' is not " % (place, parameter)`
			`warnMsg += "injectable"`
			`logger.warn(warnMsg)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if not kb.injPlace or not kb.injParameter or not kb.injType:`
			`if len(injData) == 1:`
			`injDataSelected = injData[0]`
Updated work on multiple targets support (works for WebScarab conversations/ folder, still to work out for Burp log file). Major bug fix in the controller library. 2008-11-22 04:57:22 +03:00
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`elif len(injData) > 1:`
			`injDataSelected = __selectInjection(injData)`
Updated work on multiple targets support (works for WebScarab conversations/ folder, still to work out for Burp log file). Major bug fix in the controller library. 2008-11-22 04:57:22 +03:00
			`elif conf.multipleTargets:`
			`continue`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`else:`
			`return`

			`if injDataSelected == "Quit":`
			`return`
Updated work on multiple targets support (works for WebScarab conversations/ folder, still to work out for Burp log file). Major bug fix in the controller library. 2008-11-22 04:57:22 +03:00
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`else:`
			`kb.injPlace, kb.injParameter, kb.injType = injDataSelected`
			`setInjection()`

Adapted the code to support a list of targets from a text file (Burp log file) or from a directory (WebScarab conversations folder) with command line option -l. 2008-11-20 20:56:09 +03:00			`if not conf.multipleTargets and ( not kb.injPlace or not kb.injParameter or not kb.injType ):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`raise sqlmapNotVulnerableException, "all parameters are not injectable"`
			`elif kb.injPlace and kb.injParameter and kb.injType:`
Adapted the code to support a list of targets from a text file (Burp log file) or from a directory (WebScarab conversations folder) with command line option -l. 2008-11-20 20:56:09 +03:00			`if conf.multipleTargets:`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`message = "do you want to exploit this SQL injection? [Y/n] "`
			`exploit = readInput(message, default="Y")`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`condition = not exploit or exploit[0] in ("y", "Y")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`else:`
			`condition = True`

			`if condition:`
			`checkForParenthesis()`
			`action()`

			`if conf.loggedToOut:`
			`logger.info("Fetched data logged to text files under '%s'" % conf.outputPath)`