sqlmap/lib/controller/controller.py

428 lines
16 KiB
Python
Raw Normal View History

2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
2008-10-15 19:56:32 +04:00
$Id$
2008-10-15 19:38:22 +04:00
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
2008-10-15 19:38:22 +04:00
"""
2010-10-15 04:34:16 +04:00
import re
2008-10-15 19:38:22 +04:00
from lib.controller.action import action
from lib.controller.checks import checkSqlInjection
2010-10-11 16:26:35 +04:00
from lib.controller.checks import heuristicCheckSqlInjection
2008-10-15 19:38:22 +04:00
from lib.controller.checks import checkDynParam
from lib.controller.checks import checkStability
from lib.controller.checks import checkString
from lib.controller.checks import checkRegexp
2008-10-15 19:38:22 +04:00
from lib.controller.checks import checkConnection
2010-09-16 12:43:10 +04:00
from lib.controller.checks import checkNullConnection
from lib.core.agent import agent
from lib.core.common import dataToStdout
2010-06-02 16:45:40 +04:00
from lib.core.common import getUnicode
2008-10-15 19:38:22 +04:00
from lib.core.common import paramToDict
2010-03-05 18:25:53 +03:00
from lib.core.common import parseTargetUrl
2008-10-15 19:38:22 +04:00
from lib.core.common import readInput
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.dump import dumper
2010-11-08 12:44:32 +03:00
from lib.core.enums import HTTPMETHOD
from lib.core.enums import PAYLOAD
2010-11-08 12:44:32 +03:00
from lib.core.enums import PLACE
from lib.core.exception import exceptionsTuple
2008-10-15 19:38:22 +04:00
from lib.core.exception import sqlmapNotVulnerableException
from lib.core.exception import sqlmapSilentQuitException
from lib.core.exception import sqlmapValueException
2010-09-30 23:45:23 +04:00
from lib.core.exception import sqlmapUserQuitException
from lib.core.session import setBooleanBased
from lib.core.session import setError
2008-10-15 19:38:22 +04:00
from lib.core.session import setInjection
from lib.core.session import setMatchRatio
from lib.core.session import setStacked
from lib.core.session import setTimeBased
2010-03-15 14:55:13 +03:00
from lib.core.target import initTargetEnv
from lib.core.target import setupTargetEnv
2008-10-15 19:38:22 +04:00
def __saveToSessionFile():
for inj in kb.injections:
place = inj.place
parameter = inj.parameter
for stype, sdata in inj.data.items():
payload = sdata[3]
if stype == 1:
kb.booleanTest = payload
setBooleanBased(place, parameter, payload)
elif stype == 2:
kb.errorTest = payload
setError(place, parameter, payload)
elif stype == 4:
kb.stackedTest = payload
setStacked(place, parameter, payload)
elif stype == 5:
kb.timeTest = payload
setTimeBased(place, parameter, payload)
setInjection(inj)
def __selectInjection():
2008-10-15 19:38:22 +04:00
"""
Selection function for injection place, parameters and type.
"""
# TODO: when resume from session file, feed kb.injections and call
# __selectInjection()
points = []
2008-10-15 19:38:22 +04:00
for i in xrange(0, len(kb.injections)):
place = kb.injections[i].place
parameter = kb.injections[i].parameter
ptype = kb.injections[i].ptype
2008-10-15 19:38:22 +04:00
point = (place, parameter, ptype)
2008-10-15 19:38:22 +04:00
if point not in points:
points.append(point)
2008-10-15 19:38:22 +04:00
if len(points) == 1:
kb.injection = kb.injections[0]
elif len(points) > 1:
message = "there were multiple injection points, please select "
message += "the one to use for following injections:\n"
2008-10-15 19:38:22 +04:00
points = []
2008-10-15 19:38:22 +04:00
for i in xrange(0, len(kb.injections)):
place = kb.injections[i].place
parameter = kb.injections[i].parameter
ptype = kb.injections[i].ptype
point = (place, parameter, ptype)
2008-10-15 19:38:22 +04:00
if point not in points:
points.append(point)
2008-10-15 19:38:22 +04:00
message += "[%d] place: %s, parameter: " % (i, place)
message += "%s, type: %s" % (parameter, PAYLOAD.PARAMETER[ptype])
2008-10-15 19:38:22 +04:00
if i == 0:
message += " (default)"
2008-10-15 19:38:22 +04:00
message += "\n"
message += "[q] Quit"
select = readInput(message, default="0")
if select.isdigit() and int(select) < len(kb.injections) and int(select) >= 0:
index = int(select)
elif select[0] in ( "Q", "q" ):
raise sqlmapUserQuitException
else:
errMsg = "invalid choice"
raise sqlmapValueException, errMsg
kb.injection = kb.injections[index]
def __formatInjection(inj):
header = "Place: %s\n" % inj.place
header += "Parameter: %s\n" % inj.parameter
data = ""
for stype, sdata in inj.data.items():
data += "Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
data += "Payload: %s\n\n" % sdata[3]
return header, data
def __showInjections():
dataToStdout("sqlmap identified the following injection points:\n")
for inj in kb.injections:
header, data = __formatInjection(inj)
dumper.technic(header, data)
2008-10-15 19:38:22 +04:00
def start():
"""
This function calls a function that performs checks on both URL
stability and all GET, POST, Cookie and User-Agent parameters to
check if they are dynamic and SQL injection affected
"""
if not conf.start:
2010-09-26 18:56:55 +04:00
return False
if conf.direct:
initTargetEnv()
setupTargetEnv()
action()
2010-09-26 18:56:55 +04:00
return True
if conf.url and not conf.forms:
kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie ))
2008-10-15 19:38:22 +04:00
if conf.configFile and not kb.targetUrls:
errMsg = "you did not edit the configuration file properly, set "
errMsg += "the target url, list of targets or google dork"
2008-10-15 19:38:22 +04:00
logger.error(errMsg)
2010-09-26 18:56:55 +04:00
return False
2008-10-15 19:38:22 +04:00
if kb.targetUrls and len(kb.targetUrls) > 1:
infoMsg = "sqlmap got a total of %d targets" % len(kb.targetUrls)
logger.info(infoMsg)
hostCount = 0
cookieStr = ""
setCookieAsInjectable = True
2008-10-15 19:38:22 +04:00
for targetUrl, targetMethod, targetData, targetCookie in kb.targetUrls:
try:
conf.url = targetUrl
conf.method = targetMethod
conf.data = targetData
conf.cookie = targetCookie
injData = []
2010-10-15 13:54:29 +04:00
2010-10-15 04:34:16 +04:00
initTargetEnv()
parseTargetUrl()
2010-10-15 13:54:29 +04:00
2010-10-15 04:34:16 +04:00
testSqlInj = False
2010-11-08 12:44:32 +03:00
if PLACE.GET in conf.parameters:
for parameter in re.findall(r"([^=]+)=[^&]+&?", conf.parameters[PLACE.GET]):
paramKey = (conf.hostname, conf.path, PLACE.GET, parameter)
2010-10-15 04:34:16 +04:00
if paramKey not in kb.testedParams:
testSqlInj = True
break
2010-10-15 13:54:29 +04:00
else:
paramKey = (conf.hostname, conf.path, None, None)
if paramKey not in kb.testedParams:
testSqlInj = True
2010-10-15 04:34:16 +04:00
if not testSqlInj:
infoMsg = "skipping '%s'" % targetUrl
logger.info(infoMsg)
continue
if conf.multipleTargets:
hostCount += 1
2010-11-15 14:50:33 +03:00
if conf.forms:
name = kb.formNames[(targetUrl, targetMethod, targetData, targetCookie)]
message = "[#%d] %s:\n%s %s" % (hostCount, "form%s" % (" '%s'" % name if name else ""), conf.method or HTTPMETHOD.GET, targetUrl)
else:
message = "%s %d:\n%s %s" % ("url", hostCount, conf.method or HTTPMETHOD.GET, targetUrl)
if conf.cookie:
message += "\nCookie: %s" % conf.cookie
if conf.data:
message += "\nPOST data: %s" % repr(conf.data) if conf.data else ""
if conf.forms:
if conf.method == HTTPMETHOD.GET and targetUrl.find("?") == -1:
continue
message += "\ndo you want to test this form? [Y/n/q] "
test = readInput(message, default="Y")
if not test or test[0] in ("y", "Y"):
if conf.method == HTTPMETHOD.POST:
message = "Edit POST data [default: %s]: " % (conf.data if conf.data else "")
conf.data = readInput(message, default=conf.data)
elif conf.method == HTTPMETHOD.GET:
if conf.url.find("?") > -1:
firstPart = conf.url[:conf.url.find("?")]
secondPart = conf.url[conf.url.find("?")+1:]
message = "Edit GET data [default: %s]: " % secondPart
test = readInput(message, default=secondPart)
conf.url = "%s?%s" % (firstPart, test)
elif test[0] in ("n", "N"):
continue
elif test[0] in ("q", "Q"):
break
2008-10-15 19:38:22 +04:00
else:
message += "\ndo you want to test this url? [Y/n/q]"
test = readInput(message, default="Y")
if not test or test[0] in ("y", "Y"):
pass
elif test[0] in ("n", "N"):
continue
elif test[0] in ("q", "Q"):
break
2008-10-15 19:38:22 +04:00
logMsg = "testing url %s" % targetUrl
logger.info(logMsg)
setupTargetEnv()
2010-11-15 15:19:22 +03:00
if not checkConnection(conf.forms) or not checkString() or not checkRegexp():
2008-10-15 19:38:22 +04:00
continue
if conf.nullConnection:
checkNullConnection()
2010-09-16 12:43:10 +04:00
2010-09-26 18:02:13 +04:00
if not conf.dropSetCookie and conf.cj:
for _, cookie in enumerate(conf.cj):
2010-06-02 16:45:40 +04:00
cookie = getUnicode(cookie)
index = cookie.index(" for ")
cookieStr += "%s;" % cookie[8:index]
2008-10-15 19:38:22 +04:00
if cookieStr:
cookieStr = cookieStr[:-1]
2010-11-08 12:44:32 +03:00
if PLACE.COOKIE in conf.parameters:
message = "you provided an HTTP Cookie header value. "
message += "The target url provided its own Cookie within "
message += "the HTTP Set-Cookie header. Do you want to "
message += "continue using the HTTP Cookie values that "
message += "you provided? [Y/n] "
test = readInput(message, default="Y")
if not test or test[0] in ("y", "Y"):
setCookieAsInjectable = False
if setCookieAsInjectable:
2010-11-08 16:26:45 +03:00
conf.httpHeaders.append(("Cookie", cookieStr))
2010-11-08 12:44:32 +03:00
conf.parameters[PLACE.COOKIE] = cookieStr
__paramDict = paramToDict(PLACE.COOKIE, cookieStr)
if __paramDict:
2010-11-08 12:44:32 +03:00
conf.paramDict[PLACE.COOKIE] = __paramDict
2010-03-21 03:39:44 +03:00
# TODO: consider the following line in __setRequestParams()
__testableParameters = True
2008-10-15 19:38:22 +04:00
if not kb.injection.place or not kb.injection.parameter:
if not conf.string and not conf.regexp and not conf.eRegexp:
# NOTE: this is not needed anymore, leaving only to display
# a warning message to the user in case the page is not stable
checkStability()
2010-11-08 02:37:15 +03:00
# Do a little prioritization reorder of a testable parameter list
parameters = conf.parameters.keys()
2010-11-08 12:44:32 +03:00
for place in (PLACE.URI, PLACE.POST, PLACE.GET):
2010-11-08 02:37:15 +03:00
if place in parameters:
parameters.remove(place)
parameters.insert(0, place)
for place in parameters:
if not conf.paramDict.has_key(place):
continue
paramDict = conf.paramDict[place]
for parameter, value in paramDict.items():
testSqlInj = True
# TODO: with the new detection engine, review this
# part. Perhaps dynamicity test will not be of any
# use
2010-10-15 04:34:16 +04:00
paramKey = (conf.hostname, conf.path, place, parameter)
if paramKey in kb.testedParams:
testSqlInj = False
2010-10-15 04:34:16 +04:00
infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter)
logger.info(infoMsg)
# Avoid dinamicity test if the user provided the
# parameter manually
elif parameter in conf.testParameter:
pass
2010-10-15 04:34:16 +04:00
elif not checkDynParam(place, parameter, value):
warnMsg = "%s parameter '%s' is not dynamic" % (place, parameter)
logger.warn(warnMsg)
testSqlInj = False
2010-10-15 04:34:16 +04:00
else:
logMsg = "%s parameter '%s' is dynamic" % (place, parameter)
2008-10-15 19:38:22 +04:00
logger.info(logMsg)
kb.testedParams.add(paramKey)
if testSqlInj:
# TODO: with the new detection engine, review this
# part. This will be moved to payloads.xml as well
2010-10-11 16:26:35 +04:00
heuristicCheckSqlInjection(place, parameter, value)
2010-10-15 04:34:16 +04:00
logMsg = "testing sql injection on %s " % place
logMsg += "parameter '%s'" % parameter
logger.info(logMsg)
2010-10-15 04:34:16 +04:00
injection = checkSqlInjection(place, parameter, value)
2008-10-15 19:38:22 +04:00
if injection:
kb.injections.append(injection)
else:
warnMsg = "%s parameter '%s' is not " % (place, parameter)
warnMsg += "injectable"
logger.warn(warnMsg)
if len(kb.injections) == 0 and not kb.injection.place and not kb.injection.parameter:
errMsg = "all parameters are not injectable, try "
errMsg += "a higher --level"
raise sqlmapNotVulnerableException, errMsg
else:
__saveToSessionFile()
__showInjections()
__selectInjection()
2008-10-15 19:38:22 +04:00
if kb.injection.place and kb.injection.parameter:
if conf.multipleTargets:
message = "do you want to exploit this SQL injection? [Y/n] "
exploit = readInput(message, default="Y")
2008-10-15 19:38:22 +04:00
condition = not exploit or exploit[0] in ("y", "Y")
else:
condition = True
if condition:
2010-11-04 19:47:18 +03:00
if kb.paramMatchRatio:
conf.matchRatio = kb.paramMatchRatio[(kb.injection.place, kb.injection.parameter)]
2010-11-04 19:47:18 +03:00
setMatchRatio()
2010-11-07 18:34:52 +03:00
action()
except KeyboardInterrupt:
2010-11-05 19:03:12 +03:00
if conf.multipleTargets:
2010-11-05 19:08:42 +03:00
warnMsg = "Ctrl+C detected in multiple target mode"
2010-11-05 19:03:12 +03:00
logger.warn(warnMsg)
2010-11-07 19:23:03 +03:00
message = "do you want to skip to the next target in list? [Y/n/q]"
2010-11-05 19:03:12 +03:00
test = readInput(message, default="Y")
2010-11-05 19:03:12 +03:00
if not test or test[0] in ("y", "Y"):
pass
elif test[0] in ("n", "N"):
return False
elif test[0] in ("q", "Q"):
raise sqlmapUserQuitException
else:
raise
2010-09-30 23:45:23 +04:00
except sqlmapUserQuitException:
raise
2010-11-10 22:44:51 +03:00
except sqlmapSilentQuitException:
raise
except exceptionsTuple, e:
2010-06-02 16:45:40 +04:00
e = getUnicode(e)
2008-10-15 19:38:22 +04:00
if conf.multipleTargets:
2010-11-15 15:19:22 +03:00
e += ", skipping to the next %s" % ("form" if conf.forms else "url")
logger.error(e)
else:
2010-09-27 17:41:18 +04:00
logger.critical(e)
2010-09-26 18:56:55 +04:00
return False
2008-10-15 19:38:22 +04:00
if conf.loggedToOut:
logger.info("Fetched data logged to text files under '%s'" % conf.outputPath)
2010-09-26 18:56:55 +04:00
return True