sqlmap/lib/core/common.py

3292 lines
104 KiB
Python
Raw Normal View History

2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
2012-07-12 21:38:03 +04:00
Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
2008-10-15 19:38:22 +04:00
"""
import codecs
2012-07-01 03:19:54 +04:00
import contextlib
2012-03-08 14:19:34 +04:00
import cookielib
import copy
2010-10-28 00:39:50 +04:00
import ctypes
import httplib
import inspect
2011-04-20 02:54:13 +04:00
import logging
import ntpath
2008-10-15 19:38:22 +04:00
import os
import posixpath
2008-10-15 19:38:22 +04:00
import random
import re
import socket
2008-10-15 19:38:22 +04:00
import string
import struct
2008-10-15 19:38:22 +04:00
import sys
import time
2011-10-24 22:11:34 +04:00
import urllib
2008-10-15 19:38:22 +04:00
import urlparse
import unicodedata
2010-01-28 20:07:34 +03:00
2010-05-28 19:57:43 +04:00
from ConfigParser import DEFAULTSECT
from ConfigParser import RawConfigParser
2010-04-22 20:13:22 +04:00
from StringIO import StringIO
from difflib import SequenceMatcher
2011-01-16 23:55:07 +03:00
from math import sqrt
2011-12-26 18:08:25 +04:00
from optparse import OptionValueError
2010-05-21 17:03:57 +04:00
from subprocess import PIPE
from subprocess import Popen as execute
2010-10-07 02:43:04 +04:00
from xml.dom import minidom
2010-04-22 20:13:22 +04:00
from xml.sax import parse
2010-01-24 02:29:34 +03:00
from extra.safe2bin.safe2bin import safecharencode
2012-02-16 13:46:41 +04:00
from lib.core.bigarray import BigArray
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
from lib.core.convert import base64pickle
from lib.core.convert import base64unpickle
2012-12-19 04:30:22 +04:00
from lib.core.convert import hexdecode
2010-11-07 03:12:00 +03:00
from lib.core.convert import htmlunescape
2012-07-31 13:03:44 +04:00
from lib.core.convert import stdoutencode
from lib.core.convert import unicodeencode
2012-07-31 13:03:44 +04:00
from lib.core.convert import utf8encode
2012-07-30 12:06:14 +04:00
from lib.core.decorators import cachedmethod
2012-08-21 13:19:15 +04:00
from lib.core.dicts import DBMS_DICT
2012-11-28 14:10:57 +04:00
from lib.core.dicts import DEPRECATED_HINTS
2012-08-21 13:19:15 +04:00
from lib.core.dicts import SQL_STATEMENTS
2012-10-09 17:19:47 +04:00
from lib.core.enums import ADJUST_TIME_DELAY
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
from lib.core.enums import HEURISTIC_TEST
from lib.core.enums import HTTPHEADER
from lib.core.enums import HTTPMETHOD
from lib.core.enums import OS
from lib.core.enums import PLACE
2010-12-18 12:51:34 +03:00
from lib.core.enums import PAYLOAD
2011-05-30 13:46:32 +04:00
from lib.core.enums import REFLECTIVE_COUNTER
2011-12-21 23:40:42 +04:00
from lib.core.enums import SORT_ORDER
from lib.core.exception import SqlmapDataException
from lib.core.exception import SqlmapFilePathException
from lib.core.exception import SqlmapGenericException
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapMissingDependence
from lib.core.exception import SqlmapSilentQuitException
from lib.core.exception import SqlmapSyntaxException
from lib.core.exception import SqlmapUserQuitException
2012-07-11 22:29:48 +04:00
from lib.core.log import LOGGER_HANDLER
2010-05-27 20:45:09 +04:00
from lib.core.optiondict import optDict
from lib.core.settings import BOLD_PATTERNS
2012-04-17 12:41:19 +04:00
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
2012-10-29 17:08:48 +04:00
from lib.core.settings import DBMS_DIRECTORY_DICT
2011-11-22 01:31:08 +04:00
from lib.core.settings import DEFAULT_COOKIE_DELIMITER
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
2012-10-29 17:08:48 +04:00
from lib.core.settings import DEFAULT_MSSQL_SCHEMA
2012-11-28 14:10:57 +04:00
from lib.core.settings import DEPRECATED_OPTIONS
2010-03-03 19:19:17 +03:00
from lib.core.settings import DESCRIPTION
2011-06-18 02:04:25 +04:00
from lib.core.settings import DUMMY_SQL_INJECTION_CHARS
2012-10-29 17:08:48 +04:00
from lib.core.settings import DUMMY_USER_INJECTION
from lib.core.settings import DYNAMICITY_MARK_LENGTH
from lib.core.settings import ERROR_PARSING_REGEXES
from lib.core.settings import FORM_SEARCH_REGEX
from lib.core.settings import GENERIC_DOC_ROOT_DIRECTORY_NAMES
from lib.core.settings import HASHDB_MILESTONE_VALUE
from lib.core.settings import HOST_ALIASES
2012-10-29 17:08:48 +04:00
from lib.core.settings import INFERENCE_UNKNOWN_CHAR
from lib.core.settings import ISSUES_PAGE
from lib.core.settings import IS_WIN
2011-12-23 00:14:56 +04:00
from lib.core.settings import LARGE_OUTPUT_THRESHOLD
2010-12-08 17:46:07 +03:00
from lib.core.settings import MIN_TIME_RESPONSES
2012-10-29 17:08:48 +04:00
from lib.core.settings import ML
from lib.core.settings import NULL
from lib.core.settings import PARAMETER_AMP_MARKER
from lib.core.settings import PARAMETER_SEMICOLON_MARKER
from lib.core.settings import PARTIAL_VALUE_MARKER
from lib.core.settings import PAYLOAD_DELIMITER
2012-10-29 17:08:48 +04:00
from lib.core.settings import PLATFORM
from lib.core.settings import PRINTABLE_CHAR_REGEX
from lib.core.settings import PYVERSION
from lib.core.settings import REFERER_ALIASES
from lib.core.settings import REFLECTED_BORDER_REGEX
2011-07-13 03:21:15 +04:00
from lib.core.settings import REFLECTED_MAX_REGEX_PARTS
2012-10-29 17:08:48 +04:00
from lib.core.settings import REFLECTED_REPLACEMENT_REGEX
from lib.core.settings import REFLECTED_VALUE_MARKER
2011-05-30 13:46:32 +04:00
from lib.core.settings import REFLECTIVE_MISS_THRESHOLD
2012-10-29 17:08:48 +04:00
from lib.core.settings import REVISION
2011-02-02 17:25:16 +03:00
from lib.core.settings import SENSITIVE_DATA_REGEX
2012-10-29 17:08:48 +04:00
from lib.core.settings import SITE
from lib.core.settings import SUPPORTED_DBMS
from lib.core.settings import TEXT_TAG_REGEX
2012-10-29 17:08:48 +04:00
from lib.core.settings import TIME_STDEV_COEFF
from lib.core.settings import UNICODE_ENCODING
from lib.core.settings import UNKNOWN_DBMS_VERSION
from lib.core.settings import URI_QUESTION_MARKER
2012-07-31 13:03:44 +04:00
from lib.core.settings import URLENCODE_CHAR_LIMIT
from lib.core.settings import URLENCODE_FAILSAFE_CHARS
2012-10-29 17:08:48 +04:00
from lib.core.settings import USER_AGENT_ALIASES
from lib.core.settings import VERSION
from lib.core.settings import VERSION_STRING
from lib.core.threads import getCurrentThreadData
2012-07-14 19:01:04 +04:00
from thirdparty.clientform.clientform import ParseResponse
from thirdparty.clientform.clientform import ParseError
from thirdparty.magic import magic
from thirdparty.odict.odict import OrderedDict
from thirdparty.termcolor.termcolor import colored
2010-09-15 16:51:02 +04:00
class UnicodeRawConfigParser(RawConfigParser):
2010-09-15 16:52:28 +04:00
"""
RawConfigParser with unicode writing support
"""
2010-09-15 16:51:02 +04:00
def write(self, fp):
"""
Write an .ini-format representation of the configuration state.
"""
if self._defaults:
fp.write("[%s]\n" % DEFAULTSECT)
for (key, value) in self._defaults.items():
2011-01-30 14:36:03 +03:00
fp.write("%s = %s\n" % (key, getUnicode(value, UNICODE_ENCODING).replace('\n', '\n\t')))
2010-09-15 16:51:02 +04:00
fp.write("\n")
for section in self._sections:
fp.write("[%s]\n" % section)
for (key, value) in self._sections[section].items():
if key != "__name__":
if value is None:
fp.write("%s\n" % (key))
else:
2011-01-30 14:36:03 +03:00
fp.write("%s = %s\n" % (key, getUnicode(value, UNICODE_ENCODING).replace('\n', '\n\t')))
2010-09-15 16:51:02 +04:00
fp.write("\n")
class Format(object):
@staticmethod
def humanize(values, chain=" or "):
2012-03-28 17:31:07 +04:00
return chain.join(values)
# Get methods
@staticmethod
def getDbms(versions=None):
"""
Format the back-end DBMS fingerprint value and return its
values formatted as a human readable string.
@return: detected back-end DBMS based upon fingerprint techniques.
@rtype: C{str}
"""
if versions is None and Backend.getVersionList():
versions = Backend.getVersionList()
2012-03-28 17:31:07 +04:00
return Backend.getDbms() if versions is None else "%s %s" % (Backend.getDbms(), " and ".join(v for v in versions))
@staticmethod
def getErrorParsedDBMSes():
"""
Parses the knowledge base htmlFp list and return its values
formatted as a human readable string.
@return: list of possible back-end DBMS based upon error messages
parsing.
@rtype: C{str}
"""
2012-03-28 17:31:07 +04:00
htmlParsed = None
if len(kb.htmlFp) == 0 or kb.heuristicTest != HEURISTIC_TEST.POSITIVE:
2012-03-28 17:31:07 +04:00
pass
elif len(kb.htmlFp) == 1:
htmlParsed = kb.htmlFp[0]
elif len(kb.htmlFp) > 1:
2012-03-28 17:31:07 +04:00
htmlParsed = " or ".join(kb.htmlFp)
return htmlParsed
@staticmethod
def getOs(target, info):
"""
Formats the back-end operating system fingerprint value
and return its values formatted as a human readable string.
Example of info (kb.headersFp) dictionary:
{
'distrib': set(['Ubuntu']),
'type': set(['Linux']),
'technology': set(['PHP 5.2.6', 'Apache 2.2.9']),
'release': set(['8.10'])
}
Example of info (kb.bannerFp) dictionary:
{
'sp': set(['Service Pack 4']),
'dbmsVersion': '8.00.194',
'dbmsServicePack': '0',
'distrib': set(['2000']),
'dbmsRelease': '2000',
'type': set(['Windows'])
}
@return: detected back-end operating system based upon fingerprint
techniques.
@rtype: C{str}
"""
infoStr = ""
if info and "type" in info:
infoStr += "%s operating system: %s" % (target, Format.humanize(info["type"]))
if "distrib" in info:
infoStr += " %s" % Format.humanize(info["distrib"])
if "release" in info:
infoStr += " %s" % Format.humanize(info["release"])
if "sp" in info:
infoStr += " %s" % Format.humanize(info["sp"])
if "codename" in info:
infoStr += " (%s)" % Format.humanize(info["codename"])
if "technology" in info:
infoStr += "\nweb application technology: %s" % Format.humanize(info["technology"], ", ")
2012-07-26 14:13:16 +04:00
return infoStr.lstrip()
class Backend:
# Set methods
@staticmethod
def setDbms(dbms):
dbms = aliasToDbmsEnum(dbms)
if dbms is None:
return None
# Little precaution, in theory this condition should always be false
elif kb.dbms is not None and kb.dbms != dbms:
msg = "sqlmap previously fingerprinted back-end DBMS "
msg += "%s. However now it has been fingerprinted " % kb.dbms
msg += "to be %s. " % dbms
msg += "Please, specify which DBMS is "
msg += "correct [%s (default)/%s] " % (kb.dbms, dbms)
while True:
2012-02-16 13:54:29 +04:00
_ = readInput(msg, default=kb.dbms)
2012-02-16 13:54:29 +04:00
if aliasToDbmsEnum(_) == kb.dbms:
break
2012-02-16 13:54:29 +04:00
elif aliasToDbmsEnum(_) == dbms:
kb.dbms = aliasToDbmsEnum(_)
break
else:
warnMsg = "invalid value"
logger.warn(warnMsg)
elif kb.dbms is None:
kb.dbms = aliasToDbmsEnum(dbms)
return kb.dbms
@staticmethod
def setVersion(version):
if isinstance(version, basestring):
2012-02-22 19:53:36 +04:00
kb.dbmsVersion = [version]
return kb.dbmsVersion
@staticmethod
def setVersionList(versionsList):
if isinstance(versionsList, list):
kb.dbmsVersion = versionsList
2011-01-31 12:34:54 +03:00
elif isinstance(versionsList, basestring):
Backend.setVersion(versionsList)
else:
logger.error("invalid format of versionsList")
@staticmethod
2011-06-02 03:00:18 +04:00
def forceDbms(dbms, sticky=False):
2012-07-12 17:24:40 +04:00
if not kb.stickyDBMS:
2011-09-26 01:10:45 +04:00
kb.forcedDbms = aliasToDbmsEnum(dbms)
2012-07-12 17:24:40 +04:00
kb.stickyDBMS = sticky
@staticmethod
2011-06-02 03:00:18 +04:00
def flushForcedDbms(force=False):
2012-07-12 17:24:40 +04:00
if not kb.stickyDBMS or force:
2011-09-26 01:10:45 +04:00
kb.forcedDbms = None
2012-07-12 17:24:40 +04:00
kb.stickyDBMS = False
@staticmethod
def setOs(os):
if os is None:
return None
# Little precaution, in theory this condition should always be false
elif kb.os is not None and isinstance(os, basestring) and kb.os.lower() != os.lower():
msg = "sqlmap previously fingerprinted back-end DBMS "
msg += "operating system %s. However now it has " % kb.os
msg += "been fingerprinted to be %s. " % os
msg += "Please, specify which OS is "
msg += "correct [%s (default)/%s] " % (kb.os, os)
while True:
2012-02-16 13:54:29 +04:00
_ = readInput(msg, default=kb.os)
2012-02-16 13:54:29 +04:00
if _ == kb.os:
break
2012-02-16 13:54:29 +04:00
elif _ == os:
kb.os = _.capitalize()
break
else:
warnMsg = "invalid value"
logger.warn(warnMsg)
elif kb.os is None and isinstance(os, basestring):
kb.os = os.capitalize()
return kb.os
2012-01-13 20:49:52 +04:00
@staticmethod
def setOsVersion(version):
if version is None:
return None
elif kb.osVersion is None and isinstance(version, basestring):
kb.osVersion = version
@staticmethod
def setOsServicePack(sp):
if sp is None:
2012-01-13 20:49:52 +04:00
return None
elif kb.osSP is None and isinstance(sp, int):
kb.osSP = sp
2012-01-13 20:49:52 +04:00
@staticmethod
def setArch():
msg = "what is the back-end database management system architecture?"
msg += "\n[1] 32-bit (default)"
msg += "\n[2] 64-bit"
while True:
2012-02-16 13:54:29 +04:00
_ = readInput(msg, default='1')
2012-02-22 19:53:36 +04:00
if isinstance(_, basestring) and _.isdigit() and int(_) in (1, 2):
2012-02-16 17:46:01 +04:00
kb.arch = 32 if int(_) == 1 else 64
break
else:
2012-02-16 17:46:01 +04:00
warnMsg = "invalid value. Valid values are 1 and 2"
logger.warn(warnMsg)
return kb.arch
# Get methods
@staticmethod
def getForcedDbms():
return aliasToDbmsEnum(kb.get("forcedDbms"))
@staticmethod
def getDbms():
return aliasToDbmsEnum(kb.get("dbms"))
@staticmethod
def getErrorParsedDBMSes():
"""
Returns array with parsed DBMS names till now
This functions is called to:
1. Sort the tests, getSortedInjectionTests() - detection phase.
2. Ask user whether or not skip specific DBMS tests in detection phase,
lib/controller/checks.py - detection phase.
3. Sort the fingerprint of the DBMS, lib/controller/handler.py -
fingerprint phase.
"""
2012-09-07 12:09:19 +04:00
return kb.htmlFp if kb.get("heuristicTest") == HEURISTIC_TEST.POSITIVE else []
@staticmethod
def getIdentifiedDbms():
dbms = None
if not kb:
pass
elif Backend.getForcedDbms() is not None:
dbms = Backend.getForcedDbms()
elif Backend.getDbms() is not None:
dbms = kb.dbms
2012-12-12 14:54:59 +04:00
elif conf.get("dbms"):
dbms = conf.dbms
2012-10-28 03:16:02 +04:00
elif Backend.getErrorParsedDBMSes():
dbms = unArrayizeValue(Backend.getErrorParsedDBMSes())
2012-12-12 14:54:59 +04:00
elif kb.get("injection") and kb.injection.dbms:
dbms = unArrayizeValue(kb.injection.dbms)
return aliasToDbmsEnum(dbms)
@staticmethod
def getVersion():
if len(kb.dbmsVersion) > 0:
return kb.dbmsVersion[0]
else:
return None
@staticmethod
def getVersionList():
if len(kb.dbmsVersion) > 0:
return kb.dbmsVersion
else:
return None
@staticmethod
def getOs():
return kb.os
2012-01-13 20:49:52 +04:00
@staticmethod
def getOsVersion():
return kb.osVersion
@staticmethod
def getOsServicePack():
return kb.osSP
@staticmethod
def getArch():
if kb.arch is None:
Backend.setArch()
return kb.arch
# Comparison methods
@staticmethod
def isDbms(dbms):
2011-05-02 03:42:41 +04:00
if Backend.getDbms() is not None:
return Backend.getDbms() == aliasToDbmsEnum(dbms)
else:
return Backend.getIdentifiedDbms() == aliasToDbmsEnum(dbms)
@staticmethod
def isDbmsWithin(aliases):
return Backend.getDbms() is not None and Backend.getDbms().lower() in aliases
@staticmethod
def isVersion(version):
return Backend.getVersion() is not None and Backend.getVersion() == version
@staticmethod
def isVersionWithin(versionList):
if Backend.getVersionList() is None:
return False
2012-02-16 17:46:01 +04:00
for _ in Backend.getVersionList():
if _ != UNKNOWN_DBMS_VERSION and _ in versionList:
return True
return False
@staticmethod
def isVersionGreaterOrEqualThan(version):
return Backend.getVersion() is not None and str(Backend.getVersion()) >= str(version)
@staticmethod
def isOs(os):
return Backend.getOs() is not None and Backend.getOs().lower() == os.lower()
2008-10-15 19:38:22 +04:00
def paramToDict(place, parameters=None):
"""
Split the parameters into names and values, check if these parameters
are within the testable parameters and return in a dictionary.
"""
testableParameters = OrderedDict()
2008-10-15 19:38:22 +04:00
2012-02-22 19:53:36 +04:00
if place in conf.parameters and not parameters:
2008-10-15 19:38:22 +04:00
parameters = conf.parameters[place]
2012-10-04 13:25:44 +04:00
parameters = parameters.replace(", ", ",")
parameters = re.sub(r"&(\w{1,4});", r"%s\g<1>%s" % (PARAMETER_AMP_MARKER, PARAMETER_SEMICOLON_MARKER), parameters)
splitParams = parameters.split(conf.pDel or (DEFAULT_COOKIE_DELIMITER if place == PLACE.COOKIE else DEFAULT_GET_POST_DELIMITER))
2012-10-04 13:25:44 +04:00
for element in splitParams:
element = re.sub(r"%s(.+?)%s" % (PARAMETER_AMP_MARKER, PARAMETER_SEMICOLON_MARKER), r"&\g<1>;", element)
elem = element.split("=")
2010-10-21 01:49:05 +04:00
2012-10-04 13:25:44 +04:00
if len(elem) >= 2:
parameter = elem[0].replace(" ", "")
2010-10-21 01:49:05 +04:00
condition = not conf.testParameter
2012-10-04 13:25:44 +04:00
condition |= parameter in conf.testParameter
2008-10-15 19:38:22 +04:00
if condition:
2012-10-04 13:25:44 +04:00
testableParameters[parameter] = "=".join(elem[1:])
if not conf.multipleTargets:
2012-11-19 14:59:28 +04:00
_ = urldecode(testableParameters[parameter], convall=True)
if _.strip(DUMMY_SQL_INJECTION_CHARS) != _\
or re.search(r'\A9{3,}', _) or re.search(DUMMY_USER_INJECTION, _):
2012-10-04 13:25:44 +04:00
warnMsg = "it appears that you have provided tainted parameter values "
warnMsg += "('%s') with most probably leftover " % element
2012-12-13 13:03:21 +04:00
warnMsg += "chars/statements from manual SQL injection test(s). "
2012-10-04 13:25:44 +04:00
warnMsg += "Please, always use only valid parameter values "
warnMsg += "so sqlmap could be able to properly run "
logger.warn(warnMsg)
message = "Are you sure you want to continue? [y/N] "
test = readInput(message, default="N")
if test[0] not in ("y", "Y"):
raise SqlmapSilentQuitException
2008-10-15 19:38:22 +04:00
if conf.testParameter and not testableParameters:
paramStr = ", ".join(test for test in conf.testParameter)
if len(conf.testParameter) > 1:
2011-10-24 03:27:56 +04:00
warnMsg = "provided parameters '%s' " % paramStr
warnMsg += "are not inside the %s" % place
logger.warn(warnMsg)
2008-10-15 19:38:22 +04:00
else:
parameter = conf.testParameter[0]
if not intersect(USER_AGENT_ALIASES + REFERER_ALIASES + HOST_ALIASES, parameter, True):
warnMsg = "provided parameter '%s' " % paramStr
warnMsg += "is not inside the %s" % place
logger.warn(warnMsg)
2008-10-15 19:38:22 +04:00
elif len(conf.testParameter) != len(testableParameters.keys()):
for parameter in conf.testParameter:
2012-02-22 19:53:36 +04:00
if parameter not in testableParameters:
2011-10-24 03:27:56 +04:00
warnMsg = "provided parameter '%s' " % parameter
warnMsg += "is not inside the %s" % place
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
return testableParameters
2011-01-23 23:47:06 +03:00
def getDocRoot():
2008-10-15 19:38:22 +04:00
docRoot = None
2010-01-05 14:30:33 +03:00
pagePath = directoryPath(conf.path)
2008-10-15 19:38:22 +04:00
2012-07-13 13:23:21 +04:00
defaultDocRoot = ("C:/xampp/htdocs/", "C:/Inetpub/wwwroot/") if Backend.isOs(OS.WINDOWS) else ("/var/www/",)
if kb.absFilePaths:
for absFilePath in kb.absFilePaths:
2012-07-13 13:23:21 +04:00
if docRoot:
break
2010-02-09 17:27:41 +03:00
if directoryPath(absFilePath) == '/':
continue
2010-01-05 14:30:33 +03:00
absFilePath = normalizePath(absFilePath)
2012-07-13 13:23:21 +04:00
windowsDriveLetter = None
2012-07-13 13:23:21 +04:00
if isWindowsDriveLetterPath(absFilePath):
windowsDriveLetter, absFilePath = absFilePath[:2], absFilePath[2:]
absFilePath = ntToPosixSlashes(posixToNtSlashes(absFilePath))
2012-07-13 13:23:21 +04:00
if any("/%s/" % _ in absFilePath for _ in GENERIC_DOC_ROOT_DIRECTORY_NAMES):
for _ in GENERIC_DOC_ROOT_DIRECTORY_NAMES:
_ = "/%s/" % _
if _ in absFilePath:
docRoot = "%s%s" % (absFilePath.split(_)[0], _)
break
2012-07-13 13:23:21 +04:00
elif pagePath in absFilePath:
docRoot = absFilePath.split(pagePath)[0]
if windowsDriveLetter:
docRoot = "%s/%s" % (windowsDriveLetter, ntToPosixSlashes(docRoot))
2012-07-13 13:23:21 +04:00
docRoot = normalizePath(docRoot)
2008-10-15 19:38:22 +04:00
if docRoot:
infoMsg = "retrieved the web server document root: '%s'" % docRoot
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
else:
warnMsg = "unable to retrieve the web server document root"
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
2011-01-19 02:05:32 +03:00
message = "please provide the web server document root "
2011-01-23 23:47:06 +03:00
message += "[%s]: " % ",".join(root for root in defaultDocRoot)
2011-02-08 12:44:34 +03:00
inputDocRoot = readInput(message, default=defaultDocRoot)
2008-10-15 19:38:22 +04:00
if inputDocRoot:
2011-01-23 23:47:06 +03:00
if isinstance(inputDocRoot, basestring):
docRoot = inputDocRoot.split(',')
else:
docRoot = inputDocRoot
else:
docRoot = defaultDocRoot
2008-10-15 19:38:22 +04:00
return docRoot
2008-10-15 19:38:22 +04:00
2011-01-23 23:47:06 +03:00
def getDirs():
directories = set("/")
if kb.absFilePaths:
2011-01-19 02:05:32 +03:00
infoMsg = "retrieved web server full paths: "
2011-01-23 23:47:06 +03:00
infoMsg += "'%s'" % ", ".join(ntToPosixSlashes(path) for path in kb.absFilePaths)
logger.info(infoMsg)
for absFilePath in kb.absFilePaths:
if absFilePath:
directory = directoryPath(absFilePath)
2011-01-23 23:47:06 +03:00
directory = ntToPosixSlashes(directory)
directories.add(directory)
else:
warnMsg = "unable to retrieve any web server path"
logger.warn(warnMsg)
2008-10-15 19:38:22 +04:00
2011-01-23 23:47:06 +03:00
webDir = extractRegexResult(r"//[^/]+?/(?P<result>.*)/.", conf.url)
if webDir:
directories.add(webDir)
2011-01-19 02:05:32 +03:00
message = "please provide any additional web server full path to try "
2011-01-23 23:47:06 +03:00
message += "to upload the agent [Enter for None]: "
inputDirs = readInput(message)
2008-10-15 19:38:22 +04:00
if inputDirs:
inputDirs = inputDirs.replace(", ", ",")
inputDirs = inputDirs.split(",")
2008-10-15 19:38:22 +04:00
for inputDir in inputDirs:
if inputDir:
directories.add(inputDir)
2008-10-15 19:38:22 +04:00
2012-07-13 12:35:22 +04:00
return list(directories)
2008-10-15 19:38:22 +04:00
def filePathToString(filePath):
strRepl = filePath.replace("/", "_").replace("\\", "_")
strRepl = strRepl.replace(" ", "_").replace(":", "_")
2008-10-15 19:38:22 +04:00
return strRepl
2008-10-15 19:38:22 +04:00
def singleTimeDebugMessage(message):
singleTimeLogMessage(message, logging.DEBUG)
2011-06-08 18:35:23 +04:00
def singleTimeWarnMessage(message):
singleTimeLogMessage(message, logging.WARN)
def singleTimeLogMessage(message, level=logging.INFO, flag=None):
2011-06-07 19:13:51 +04:00
if flag is None:
flag = hash(message)
2011-04-20 02:54:13 +04:00
if flag not in kb.singleLogFlags:
kb.singleLogFlags.add(flag)
logger.log(level, message)
def boldifyMessage(message):
retVal = message
if any(_ in message for _ in BOLD_PATTERNS):
retVal = setColor(message, True)
return retVal
2012-07-11 21:54:21 +04:00
def setColor(message, bold=False):
retVal = message
2012-07-12 17:23:35 +04:00
level = extractRegexResult(r"\[(?P<result>[A-Z ]+)\]", message) or kb.get("stickyLevel")
2012-08-07 12:57:29 +04:00
if message and getattr(LOGGER_HANDLER, "is_tty", False): # colorizing handler
if bold:
retVal = colored(message, color=None, on_color=None, attrs=("bold",))
2012-07-12 17:23:35 +04:00
elif level:
_ = LOGGER_HANDLER.level_map.get(logging.getLevelName(level))
if _:
background, foreground, bold = _
retVal = colored(message, color=foreground, on_color="on_%s" % background if background else None, attrs=("bold",) if bold else None)
2012-07-11 20:22:01 +04:00
2012-07-12 17:23:35 +04:00
kb.stickyLevel = level if message and message[-1] != "\n" else None
2012-07-11 21:54:21 +04:00
return retVal
2012-07-11 20:53:32 +04:00
def dataToStdout(data, forceOutput=False, bold=False):
2012-07-01 03:19:54 +04:00
"""
Writes text to the stdout (console) stream
"""
message = ""
2011-12-27 15:41:57 +04:00
if not kb.get("threadException"):
if forceOutput or not getCurrentThreadData().disableStdOut:
2012-07-31 13:03:44 +04:00
if kb.get("multiThreadMode"):
logging._acquireLock()
2012-07-31 13:03:44 +04:00
message = stdoutencode(data)
2012-07-11 21:54:21 +04:00
sys.stdout.write(setColor(message, bold))
2012-08-31 21:48:45 +04:00
try:
sys.stdout.flush()
except IOError:
pass
if kb.get("multiThreadMode"):
logging._releaseLock()
kb.prependFlag = len(data) == 1 and data not in ('\n', '\r') or len(data) > 2 and data[0] == '\r' and data[-1] != '\n'
2010-11-08 14:22:47 +03:00
def dataToTrafficFile(data):
if not conf.trafficFile:
return
conf.trafficFP.write(data)
conf.trafficFP.flush()
2008-10-15 19:38:22 +04:00
def dataToDumpFile(dumpFile, data):
dumpFile.write(data)
dumpFile.flush()
2012-12-19 18:12:09 +04:00
def dataToOutFile(filename, data):
if not data:
return "No data retrieved"
2012-12-19 18:12:09 +04:00
retVal = "%s%s%s" % (conf.filePath, os.sep, filePathToString(filename))
2012-07-01 02:33:19 +04:00
with codecs.open(retVal, "wb") as f:
f.write(data)
2012-07-01 02:33:19 +04:00
return retVal
2012-03-28 17:31:07 +04:00
def strToHex(value):
2008-10-15 19:38:22 +04:00
"""
2012-03-28 17:31:07 +04:00
Converts string value to it's hexadecimal representation
2008-10-15 19:38:22 +04:00
"""
2012-03-28 17:31:07 +04:00
return (value if not isinstance(value, unicode) else value.encode(UNICODE_ENCODING)).encode("hex").upper()
def readInput(message, default=None, checkBatch=True):
2008-10-15 19:38:22 +04:00
"""
2012-03-28 17:31:07 +04:00
Reads input from terminal
2008-10-15 19:38:22 +04:00
"""
2012-11-21 13:16:13 +04:00
retVal = None
2012-07-12 17:25:26 +04:00
kb.stickyLevel = None
2012-07-11 20:53:32 +04:00
if "\n" in message:
message += "%s> " % ("\n" if message.count("\n") > 1 else "")
2010-11-05 19:08:42 +03:00
elif message[-1] == ']':
message += " "
2012-11-21 13:16:13 +04:00
if conf.answers:
for item in conf.answers.split(','):
question = item.split('=')[0].strip()
answer = item.split('=')[1] if len(item.split('=')) > 1 else None
if answer and question.lower() in message.lower():
retVal = getUnicode(answer, UNICODE_ENCODING)
2011-02-08 13:08:48 +03:00
2012-11-21 13:16:13 +04:00
infoMsg = "%s%s" % (getUnicode(message), retVal)
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
2012-11-21 13:16:13 +04:00
debugMsg = "used the given answer"
logger.debug(debugMsg)
2008-10-15 19:38:22 +04:00
2012-11-21 13:16:13 +04:00
break
if retVal is None:
if checkBatch and conf.batch:
if isListLike(default):
options = ",".join(getUnicode(opt, UNICODE_ENCODING) for opt in default)
elif default:
options = getUnicode(default, UNICODE_ENCODING)
else:
options = unicode()
infoMsg = "%s%s" % (getUnicode(message), options)
logger.info(infoMsg)
debugMsg = "used the default behaviour, running in batch mode"
logger.debug(debugMsg)
retVal = default
else:
logging._acquireLock()
dataToStdout("\r%s" % message, forceOutput=True, bold=True)
kb.prependFlag = False
try:
retVal = raw_input() or default
retVal = getUnicode(retVal, system=True) if retVal else retVal
except:
time.sleep(0.05) # Reference: http://www.gossamer-threads.com/lists/python/python/781893
kb.prependFlag = True
raise SqlmapUserQuitException
2012-11-21 13:16:13 +04:00
finally:
logging._releaseLock()
return retVal
2008-10-15 19:38:22 +04:00
def randomRange(start=0, stop=1000):
"""
2012-03-28 17:31:07 +04:00
Returns random integer value in given range
2008-10-15 19:38:22 +04:00
"""
return int(random.randint(start, stop))
def randomInt(length=4):
"""
2012-03-28 17:31:07 +04:00
Returns random integer value with provided number of digits
2008-10-15 19:38:22 +04:00
"""
2011-11-20 23:38:56 +04:00
return int("".join(random.choice(string.digits if i!=0 else string.digits.replace('0', '')) for i in xrange(0, length)))
2008-10-15 19:38:22 +04:00
2010-10-11 16:26:35 +04:00
def randomStr(length=4, lowercase=False, alphabet=None):
2008-10-15 19:38:22 +04:00
"""
2012-03-28 17:31:07 +04:00
Returns random string value with provided number of characters
2008-10-15 19:38:22 +04:00
"""
2010-10-11 16:26:35 +04:00
if alphabet:
2012-07-01 02:33:19 +04:00
retVal = "".join(random.choice(alphabet) for _ in xrange(0, length))
2010-10-11 16:26:35 +04:00
elif lowercase:
2012-07-01 02:33:19 +04:00
retVal = "".join(random.choice(string.lowercase) for _ in xrange(0, length))
else:
2012-07-01 02:33:19 +04:00
retVal = "".join(random.choice(string.letters) for _ in xrange(0, length))
2012-07-01 02:33:19 +04:00
return retVal
2010-09-13 17:31:01 +04:00
2011-12-21 23:40:42 +04:00
def sanitizeStr(value):
2008-10-15 19:38:22 +04:00
"""
2012-03-28 17:31:07 +04:00
Sanitizes string value in respect to newline and line-feed characters
2008-10-15 19:38:22 +04:00
"""
2011-12-21 23:40:42 +04:00
return getUnicode(value).replace("\n", " ").replace("\r", "")
2008-10-15 19:38:22 +04:00
def checkFile(filename):
"""
2012-03-28 17:31:07 +04:00
Checks for file existence
2008-10-15 19:38:22 +04:00
"""
2012-07-22 01:31:36 +04:00
if not os.path.isfile(filename):
raise SqlmapFilePathException, "unable to read file '%s'" % filename
2008-10-15 19:38:22 +04:00
def banner():
"""
This function prints sqlmap banner with its version
"""
2011-12-21 23:40:42 +04:00
_ = """\n %s - %s\n %s\n\n""" % (VERSION_STRING, DESCRIPTION, SITE)
dataToStdout(_, forceOutput=True)
2010-09-13 17:31:01 +04:00
2008-10-15 19:38:22 +04:00
def parsePasswordHash(password):
blank = " " * 8
if not password or password == " ":
2012-02-07 14:46:55 +04:00
password = NULL
2008-10-15 19:38:22 +04:00
2012-02-07 14:46:55 +04:00
if Backend.isDbms(DBMS.MSSQL) and password != NULL and isHexEncodedString(password):
2008-10-15 19:38:22 +04:00
hexPassword = password
2011-01-19 02:05:32 +03:00
password = "%s\n" % hexPassword
2008-10-15 19:38:22 +04:00
password += "%sheader: %s\n" % (blank, hexPassword[:6])
password += "%ssalt: %s\n" % (blank, hexPassword[6:14])
password += "%smixedcase: %s\n" % (blank, hexPassword[14:54])
if not Backend.isVersionWithin(("2005", "2008")):
2008-10-15 19:38:22 +04:00
password += "%suppercase: %s" % (blank, hexPassword[54:])
return password
2008-10-15 19:38:22 +04:00
def cleanQuery(query):
2012-07-01 02:33:19 +04:00
retVal = query
for sqlStatements in SQL_STATEMENTS.values():
for sqlStatement in sqlStatements:
sqlStatementEsc = sqlStatement.replace("(", "\\(")
queryMatch = re.search("(%s)" % sqlStatementEsc, query, re.I)
if queryMatch and "sys_exec" not in query:
2012-07-01 02:33:19 +04:00
retVal = retVal.replace(queryMatch.group(1), sqlStatement.upper())
2012-07-01 02:33:19 +04:00
return retVal
2010-09-13 17:31:01 +04:00
2008-10-15 19:38:22 +04:00
def setPaths():
2012-02-24 18:12:19 +04:00
"""
Sets absolute paths for project directories and files
"""
2008-10-15 19:38:22 +04:00
# sqlmap paths
2011-01-19 02:05:32 +03:00
paths.SQLMAP_EXTRAS_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "extra")
paths.SQLMAP_PROCS_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "procs")
2011-01-19 02:05:32 +03:00
paths.SQLMAP_SHELL_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "shell")
paths.SQLMAP_TAMPER_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "tamper")
2011-01-19 02:05:32 +03:00
paths.SQLMAP_TXT_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "txt")
paths.SQLMAP_UDF_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "udf")
paths.SQLMAP_XML_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "xml")
paths.SQLMAP_XML_BANNER_PATH = os.path.join(paths.SQLMAP_XML_PATH, "banner")
2011-01-19 02:05:32 +03:00
paths.SQLMAP_OUTPUT_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "output")
paths.SQLMAP_DUMP_PATH = os.path.join(paths.SQLMAP_OUTPUT_PATH, "%s", "dump")
paths.SQLMAP_FILES_PATH = os.path.join(paths.SQLMAP_OUTPUT_PATH, "%s", "files")
paths.SQLMAP_SEXEC_PATH = os.path.join(paths.SQLMAP_EXTRAS_PATH, "shellcodeexec")
2008-10-15 19:38:22 +04:00
# sqlmap files
2011-01-19 02:05:32 +03:00
paths.SQLMAP_HISTORY = os.path.join(paths.SQLMAP_ROOT_PATH, ".sqlmap_history")
paths.SQLMAP_CONFIG = os.path.join(paths.SQLMAP_ROOT_PATH, "sqlmap-%s.conf" % randomStr())
paths.COMMON_COLUMNS = os.path.join(paths.SQLMAP_TXT_PATH, "common-columns.txt")
paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt")
paths.COMMON_OUTPUTS = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt')
paths.SQL_KEYWORDS = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt")
paths.SMALL_DICT = os.path.join(paths.SQLMAP_TXT_PATH, "smalldict.txt")
2011-01-19 02:05:32 +03:00
paths.USER_AGENTS = os.path.join(paths.SQLMAP_TXT_PATH, "user-agents.txt")
2012-07-18 16:24:10 +04:00
paths.WORDLIST = os.path.join(paths.SQLMAP_TXT_PATH, "wordlist.zip")
2011-01-19 02:05:32 +03:00
paths.PHPIDS_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "phpids_rules.xml")
paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
paths.PAYLOADS_XML = os.path.join(paths.SQLMAP_XML_PATH, "payloads.xml")
paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml")
paths.LIVE_TESTS_XML = os.path.join(paths.SQLMAP_XML_PATH, "livetests.xml")
paths.QUERIES_XML = os.path.join(paths.SQLMAP_XML_PATH, "queries.xml")
paths.GENERIC_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "generic.xml")
paths.MSSQL_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "mssql.xml")
paths.MYSQL_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "mysql.xml")
paths.ORACLE_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "oracle.xml")
paths.PGSQL_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "postgresql.xml")
2010-09-13 17:31:01 +04:00
2008-10-15 19:38:22 +04:00
def weAreFrozen():
"""
Returns whether we are frozen via py2exe.
This will affect how we find out where we are located.
Reference: http://www.py2exe.org/index.cgi/WhereAmI
"""
return hasattr(sys, "frozen")
def parseTargetDirect():
"""
Parse target dbms and set some attributes into the configuration singleton.
"""
if not conf.direct:
return
details = None
remote = False
for dbms in SUPPORTED_DBMS:
2012-01-12 18:58:23 +04:00
details = re.search("^(?P<dbms>%s)://(?P<credentials>(?P<user>.+?)\:(?P<pass>.*)\@)?(?P<remote>(?P<hostname>.+?)\:(?P<port>[\d]+)\/)?(?P<db>[\w\d\ \:\.\_\-\/\\\\]+?)$" % dbms, conf.direct, re.I)
2010-09-13 17:31:01 +04:00
if details:
conf.dbms = details.group('dbms')
2010-03-30 15:21:26 +04:00
if details.group('credentials'):
conf.dbmsUser = details.group('user')
conf.dbmsPass = details.group('pass')
2010-03-30 15:06:30 +04:00
else:
2010-05-28 17:05:02 +04:00
conf.dbmsUser = unicode()
conf.dbmsPass = unicode()
2010-04-29 17:34:03 +04:00
if not conf.dbmsPass:
conf.dbmsPass = None
2010-03-30 15:21:26 +04:00
if details.group('remote'):
remote = True
2010-03-30 15:21:26 +04:00
conf.hostname = details.group('hostname')
2011-01-19 02:05:32 +03:00
conf.port = int(details.group('port'))
2010-03-30 15:21:26 +04:00
else:
2010-03-30 15:06:30 +04:00
conf.hostname = "localhost"
2011-01-19 02:05:32 +03:00
conf.port = 0
conf.dbmsDb = details.group('db')
conf.parameters[None] = "direct connection"
break
if not details:
errMsg = "invalid target details, valid syntax is for instance "
errMsg += "'mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME' "
errMsg += "or 'access://DATABASE_FILEPATH'"
raise SqlmapSyntaxException, errMsg
for dbmsName, data in DBMS_DICT.items():
if conf.dbms in data[0]:
try:
2010-11-02 15:08:28 +03:00
if dbmsName in (DBMS.ACCESS, DBMS.SQLITE, DBMS.FIREBIRD):
if remote:
2010-04-13 15:13:01 +04:00
warnMsg = "direct connection over the network for "
warnMsg += "%s DBMS is not supported" % dbmsName
logger.warn(warnMsg)
conf.hostname = "localhost"
2011-01-19 02:05:32 +03:00
conf.port = 0
2010-04-13 15:13:01 +04:00
elif not remote:
errMsg = "missing remote connection details"
raise SqlmapSyntaxException, errMsg
2011-02-04 18:57:53 +03:00
if dbmsName in (DBMS.MSSQL, DBMS.SYBASE):
import _mssql
import pymssql
2010-03-31 19:31:11 +04:00
if not hasattr(pymssql, "__version__") or pymssql.__version__ < "1.0.2":
errMsg = "'%s' third-party library must be " % data[1]
errMsg += "version >= 1.0.2 to work properly. "
2012-02-09 13:48:47 +04:00
errMsg += "Download from '%s'" % data[2]
raise SqlmapMissingDependence, errMsg
2010-03-31 19:31:11 +04:00
2010-11-02 15:08:28 +03:00
elif dbmsName == DBMS.MYSQL:
import pymysql
2010-12-04 01:28:09 +03:00
elif dbmsName == DBMS.PGSQL:
import psycopg2
2010-11-02 15:08:28 +03:00
elif dbmsName == DBMS.ORACLE:
import cx_Oracle
2010-11-02 15:08:28 +03:00
elif dbmsName == DBMS.SQLITE:
import sqlite3
2010-11-02 15:08:28 +03:00
elif dbmsName == DBMS.ACCESS:
import pyodbc
2010-11-02 15:08:28 +03:00
elif dbmsName == DBMS.FIREBIRD:
import kinterbasdb
2012-02-22 19:53:36 +04:00
except ImportError:
2011-01-19 02:05:32 +03:00
errMsg = "sqlmap requires '%s' third-party library " % data[1]
errMsg += "in order to directly connect to the database "
2012-02-09 13:48:47 +04:00
errMsg += "%s. Download from '%s'" % (dbmsName, data[2])
raise SqlmapMissingDependence, errMsg
2008-10-15 19:38:22 +04:00
def parseTargetUrl():
"""
Parse target url and set some attributes into the configuration singleton.
2008-10-15 19:38:22 +04:00
"""
2012-02-24 18:12:19 +04:00
2008-10-15 19:38:22 +04:00
if not conf.url:
return
2012-08-15 18:37:18 +04:00
originalUrl = conf.url
2012-05-25 01:36:35 +04:00
if re.search("\[.+\]", conf.url) and not socket.has_ipv6:
errMsg = "IPv6 addressing is not supported "
errMsg += "on this platform"
raise SqlmapGenericException, errMsg
2012-05-25 01:36:35 +04:00
2012-05-25 01:39:10 +04:00
if not re.search("^http[s]*://", conf.url, re.I):
2008-10-15 19:38:22 +04:00
if ":443/" in conf.url:
conf.url = "https://" + conf.url
else:
conf.url = "http://" + conf.url
2012-04-17 12:41:19 +04:00
if CUSTOM_INJECTION_MARK_CHAR in conf.url:
conf.url = conf.url.replace('?', URI_QUESTION_MARKER)
2012-07-01 03:19:54 +04:00
urlSplit = urlparse.urlsplit(conf.url)
hostnamePort = urlSplit[1].split(":") if not re.search("\[.+\]", urlSplit[1]) else filter(None, (re.search("\[.+\]", urlSplit[1]).group(0), re.search("\](:(?P<port>\d+))?", urlSplit[1]).group("port")))
2008-10-15 19:38:22 +04:00
2012-07-01 03:19:54 +04:00
conf.scheme = urlSplit[0].strip().lower() if not conf.forceSSL else "https"
conf.path = urlSplit[2].strip()
conf.hostname = hostnamePort[0].strip()
2012-05-25 02:07:50 +04:00
conf.ipv6 = conf.hostname != conf.hostname.strip("[]")
conf.hostname = conf.hostname.strip("[]")
2011-01-24 17:52:50 +03:00
try:
_ = conf.hostname.encode("idna")
except UnicodeError:
_ = None
if any((_ is None, re.search(r'\s', conf.hostname), '..' in conf.hostname, conf.hostname.startswith('.'))):
2011-01-24 17:52:50 +03:00
errMsg = "invalid target url"
raise SqlmapSyntaxException, errMsg
2008-10-15 19:38:22 +04:00
2012-07-01 03:19:54 +04:00
if len(hostnamePort) == 2:
try:
2012-07-01 03:19:54 +04:00
conf.port = int(hostnamePort[1])
except:
errMsg = "invalid target url"
raise SqlmapSyntaxException, errMsg
2008-10-15 19:38:22 +04:00
elif conf.scheme == "https":
conf.port = 443
else:
conf.port = 80
2012-07-01 03:19:54 +04:00
if urlSplit[3]:
conf.parameters[PLACE.GET] = urldecode(urlSplit[3]) if urlSplit[3] and urlencode(DEFAULT_GET_POST_DELIMITER, None) not in urlSplit[3] else urlSplit[3]
2008-10-15 19:38:22 +04:00
conf.url = getUnicode("%s://%s:%d%s" % (conf.scheme, ("[%s]" % conf.hostname) if conf.ipv6 else conf.hostname, conf.port, conf.path))
conf.url = conf.url.replace(URI_QUESTION_MARKER, '?')
2012-04-04 14:35:52 +04:00
if not conf.referer and intersect(REFERER_ALIASES, conf.testParameter, True):
debugMsg = "setting the HTTP Referer header to the target url"
logger.debug(debugMsg)
conf.httpHeaders = filter(lambda (key, value): key != HTTPHEADER.REFERER, conf.httpHeaders)
conf.httpHeaders.append((HTTPHEADER.REFERER, conf.url))
if not conf.host and intersect(HOST_ALIASES, conf.testParameter, True):
debugMsg = "setting the HTTP Host header to the target url"
logger.debug(debugMsg)
conf.httpHeaders = filter(lambda (key, value): key != HTTPHEADER.HOST, conf.httpHeaders)
conf.httpHeaders.append((HTTPHEADER.HOST, getHostHeader(conf.url)))
2012-08-15 18:37:18 +04:00
if originalUrl != conf.url:
kb.originalUrls[conf.url] = originalUrl
2008-10-15 19:38:22 +04:00
def expandAsteriskForColumns(expression):
2012-02-24 18:12:19 +04:00
"""
If the user provided an asterisk rather than the column(s)
name, sqlmap will retrieve the columns itself and reprocess
the SQL query string (expression)
"""
asterisk = re.search("^SELECT\s+\*\s+FROM\s+([\w\.\_]+)\s*", expression, re.I)
2008-10-15 19:38:22 +04:00
if asterisk:
2011-01-19 02:05:32 +03:00
infoMsg = "you did not provide the fields in your query. "
2008-10-15 19:38:22 +04:00
infoMsg += "sqlmap will retrieve the column names itself"
logger.info(infoMsg)
dbTbl = asterisk.group(1)
if dbTbl and ".." in dbTbl:
dbTbl = dbTbl.replace('..', '.dbo.')
if dbTbl and "." in dbTbl:
conf.db, conf.tbl = dbTbl.split(".", 1)
else:
conf.tbl = dbTbl
2008-10-15 19:38:22 +04:00
columnsDict = conf.dbmsHandler.getColumns(onlyColNames=True)
if columnsDict and conf.db in columnsDict and conf.tbl in columnsDict[conf.db]:
columns = columnsDict[conf.db][conf.tbl].keys()
columns.sort()
2011-11-20 23:38:56 +04:00
columnsStr = ", ".join(column for column in columns)
2008-10-15 19:38:22 +04:00
expression = expression.replace("*", columnsStr, 1)
2011-01-19 02:05:32 +03:00
infoMsg = "the query with column names is: "
2008-10-15 19:38:22 +04:00
infoMsg += "%s" % expression
logger.info(infoMsg)
return expression
2010-01-09 02:50:06 +03:00
2012-02-16 18:42:28 +04:00
def getLimitRange(count, dump=False, plusOne=False):
"""
Returns range of values used in limit/offset constructs
"""
retVal = None
2011-01-19 02:05:32 +03:00
count = int(count)
2012-02-16 18:42:28 +04:00
limitStart, limitStop = 1, count
2008-10-15 19:38:22 +04:00
if dump:
if isinstance(conf.limitStop, int) and conf.limitStop > 0 and conf.limitStop < limitStop:
2008-10-15 19:38:22 +04:00
limitStop = conf.limitStop
if isinstance(conf.limitStart, int) and conf.limitStart > 0 and conf.limitStart <= limitStop:
2008-10-15 19:38:22 +04:00
limitStart = conf.limitStart
2012-02-16 18:42:28 +04:00
retVal = xrange(limitStart, limitStop + 1) if plusOne else xrange(limitStart - 1, limitStop)
2008-10-15 19:38:22 +04:00
2012-02-16 18:42:28 +04:00
return retVal
def parseUnionPage(page):
2012-02-16 18:42:28 +04:00
"""
2012-12-19 04:30:22 +04:00
Returns resulting items from UNION query inside provided page content
2012-02-16 18:42:28 +04:00
"""
if page is None:
2011-02-02 01:05:12 +03:00
return None
if page.startswith(kb.chars.start) and page.endswith(kb.chars.stop):
if len(page) > LARGE_OUTPUT_THRESHOLD:
2011-12-23 00:14:56 +04:00
warnMsg = "large output detected. This might take a while"
logger.warn(warnMsg)
2011-12-23 00:08:28 +04:00
data = BigArray()
2012-08-08 02:03:58 +04:00
keys = set()
2011-12-23 00:08:28 +04:00
for match in re.finditer("%s(.*?)%s" % (kb.chars.start, kb.chars.stop), page, re.DOTALL | re.IGNORECASE):
entry = match.group(1)
if kb.chars.start in entry:
entry = entry.split(kb.chars.start)[-1]
2011-12-22 14:44:14 +04:00
if kb.unionDuplicates:
2011-12-22 03:23:00 +04:00
key = entry.lower()
2012-08-08 02:03:58 +04:00
if key not in keys:
keys.add(key)
else:
continue
2011-12-22 14:59:28 +04:00
entry = entry.split(kb.chars.delimiter)
if conf.hexConvert:
entry = applyFunctionRecursively(entry, decodeHexValue)
if kb.safeCharEncode:
entry = applyFunctionRecursively(entry, safecharencode)
data.append(entry[0] if len(entry) == 1 else entry)
else:
data = page
if len(data) == 1 and isinstance(data[0], basestring):
data = data[0]
return data
def parseFilePaths(page):
"""
2012-02-16 18:42:28 +04:00
Detects (possible) absolute system paths inside the provided page content
"""
if page:
2012-02-22 19:53:36 +04:00
for regex in (r" in <b>(?P<result>.*?)</b> on line", r"(?:>|\s)(?P<result>[A-Za-z]:[\\/][\w.\\/]*)", r"(?:>|\s)(?P<result>/\w[/\w.]+)"):
for match in re.finditer(regex, page):
absFilePath = match.group("result").strip()
page = page.replace(absFilePath, "")
if isWindowsDriveLetterPath(absFilePath):
absFilePath = posixToNtSlashes(absFilePath)
if absFilePath not in kb.absFilePaths:
kb.absFilePaths.add(absFilePath)
def getLocalIP():
2010-11-04 15:51:04 +03:00
retVal = None
2012-07-01 02:33:19 +04:00
2010-11-04 15:51:04 +03:00
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((conf.hostname, conf.port))
retVal, _ = s.getsockname()
s.close()
except:
debugMsg = "there was an error in opening socket "
debugMsg += "connection toward '%s'" % conf.hostname
logger.debug(debugMsg)
2010-11-04 15:51:04 +03:00
return retVal
def getRemoteIP():
return socket.gethostbyname(conf.hostname)
def getFileType(filePath):
try:
2012-02-16 18:42:28 +04:00
_ = magic.from_file(filePath)
except:
return "unknown"
2012-02-16 18:42:28 +04:00
return "text" if "ASCII" in _ or "text" in _ else "binary"
def getCharset(charsetType=None):
asciiTbl = []
if charsetType is None:
2011-12-21 23:40:42 +04:00
asciiTbl.extend(xrange(0, 128))
# 0 or 1
elif charsetType == CHARSET_TYPE.BINARY:
2012-02-22 19:53:36 +04:00
asciiTbl.extend([0, 1])
2011-12-21 23:40:42 +04:00
asciiTbl.extend(xrange(47, 50))
# Digits
elif charsetType == CHARSET_TYPE.DIGITS:
2012-02-22 19:53:36 +04:00
asciiTbl.extend([0, 1])
2011-12-21 23:40:42 +04:00
asciiTbl.extend(xrange(47, 58))
# Hexadecimal
elif charsetType == CHARSET_TYPE.HEXADECIMAL:
2012-02-22 19:53:36 +04:00
asciiTbl.extend([0, 1])
2011-12-21 23:40:42 +04:00
asciiTbl.extend(xrange(47, 58))
asciiTbl.extend(xrange(64, 71))
asciiTbl.extend([87, 88]) # X
2011-12-21 23:40:42 +04:00
asciiTbl.extend(xrange(96, 103))
asciiTbl.extend([119, 120]) # x
# Characters
elif charsetType == CHARSET_TYPE.ALPHA:
2012-02-22 19:53:36 +04:00
asciiTbl.extend([0, 1])
2011-12-21 23:40:42 +04:00
asciiTbl.extend(xrange(64, 91))
asciiTbl.extend(xrange(96, 123))
# Characters and digits
elif charsetType == CHARSET_TYPE.ALPHANUM:
2012-02-22 19:53:36 +04:00
asciiTbl.extend([0, 1])
2011-12-21 23:40:42 +04:00
asciiTbl.extend(xrange(47, 58))
asciiTbl.extend(xrange(64, 91))
asciiTbl.extend(xrange(96, 123))
return asciiTbl
2012-02-16 18:42:28 +04:00
def searchEnvPath(filename):
2012-07-01 02:33:19 +04:00
retVal = None
2012-02-16 18:42:28 +04:00
path = os.environ.get("PATH", "")
paths = path.split(";") if IS_WIN else path.split(":")
2012-02-16 18:42:28 +04:00
for _ in paths:
_ = _.replace(";", "")
2012-07-01 02:33:19 +04:00
retVal = os.path.exists(os.path.normpath(os.path.join(_, filename)))
2012-07-01 02:33:19 +04:00
if retVal:
break
2012-07-01 02:33:19 +04:00
return retVal
2012-02-16 18:42:28 +04:00
def directoryPath(filepath):
"""
Returns directory path for a given filepath
"""
2012-07-13 13:23:21 +04:00
retVal = filepath
if filepath:
retVal = ntpath.dirname(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.dirname(filepath)
return retVal
2010-01-15 20:42:46 +03:00
2012-02-16 18:42:28 +04:00
def normalizePath(filepath):
"""
Returns normalized string representation of a given filepath
"""
2012-07-13 13:23:21 +04:00
retVal = filepath
if filepath:
retVal = ntpath.normpath(filepath) if isWindowsDriveLetterPath(filepath) else posixpath.normpath(filepath)
return retVal
2010-01-15 19:06:59 +03:00
2012-02-16 18:42:28 +04:00
def safeStringFormat(format_, params):
"""
Avoids problems with inappropriate string format strings
"""
retVal = format_.replace("%d", "%s")
2010-01-15 20:42:46 +03:00
if isinstance(params, basestring):
2010-01-15 20:42:46 +03:00
retVal = retVal.replace("%s", params)
else:
2011-12-21 23:40:42 +04:00
count, index = 0, 0
2010-01-15 20:42:46 +03:00
while index != -1:
index = retVal.find("%s")
2010-01-15 20:42:46 +03:00
if index != -1:
if count < len(params):
2012-02-22 19:53:36 +04:00
retVal = retVal[:index] + getUnicode(params[count]) + retVal[index + 2:]
2010-01-15 20:42:46 +03:00
else:
raise SqlmapNoneDataException, "wrong number of parameters during string formatting"
2010-01-15 20:42:46 +03:00
count += 1
2010-01-15 19:06:59 +03:00
return retVal
2010-01-24 02:29:34 +03:00
2011-01-01 22:07:40 +03:00
def getFilteredPageContent(page, onlyText=True):
2012-02-16 18:42:28 +04:00
"""
Returns filtered page content without script, style and/or comments
or all HTML tags
"""
retVal = page
2010-10-16 19:10:48 +04:00
# only if the page's charset has been successfully identified
if isinstance(page, unicode):
2011-11-13 23:09:13 +04:00
retVal = re.sub(r"(?si)<script.+?</script>|<!--.+?-->|<style.+?</style>%s" % (r"|<[^>]+>|\t|\n|\r" if onlyText else ""), " ", page)
2010-10-13 00:01:59 +04:00
while retVal.find(" ") != -1:
retVal = retVal.replace(" ", " ")
2010-11-07 03:12:00 +03:00
retVal = htmlunescape(retVal)
return retVal
def getPageWordSet(page):
2012-02-23 19:32:36 +04:00
"""
Returns word set used in page content
"""
2011-09-11 20:41:07 +04:00
retVal = set()
2010-10-16 19:10:48 +04:00
# only if the page's charset has been successfully identified
if isinstance(page, unicode):
2012-07-01 03:19:54 +04:00
_ = getFilteredPageContent(page)
retVal = set(re.findall(r"\w+", _))
2010-10-16 19:10:48 +04:00
return retVal
def showStaticWords(firstPage, secondPage):
infoMsg = "finding static words in longest matching part of dynamic page content"
logger.info(infoMsg)
2010-10-16 19:10:48 +04:00
firstPage = getFilteredPageContent(firstPage)
secondPage = getFilteredPageContent(secondPage)
2010-10-16 19:10:48 +04:00
infoMsg = "static words: "
2010-10-14 16:38:06 +04:00
2011-12-12 13:45:40 +04:00
if firstPage and secondPage:
match = SequenceMatcher(None, firstPage, secondPage).find_longest_match(0, len(firstPage), 0, len(secondPage))
2012-02-22 19:53:36 +04:00
commonText = firstPage[match[0]:match[0] + match[2]]
2011-12-12 13:45:40 +04:00
commonWords = getPageWordSet(commonText)
else:
commonWords = None
2010-10-14 16:38:06 +04:00
if commonWords:
commonWords = list(commonWords)
commonWords.sort(lambda a, b: cmp(a.lower(), b.lower()))
2011-12-12 13:45:40 +04:00
for word in commonWords:
if len(word) > 2:
infoMsg += "'%s', " % word
infoMsg = infoMsg.rstrip(", ")
else:
infoMsg += "None"
2010-10-14 16:38:06 +04:00
logger.info(infoMsg)
def isWindowsPath(filepath):
2011-10-22 01:29:24 +04:00
"""
Returns True if given filepath is in Windows format
"""
return re.search("\A[\w]\:\\\\", filepath) is not None
def isWindowsDriveLetterPath(filepath):
2011-10-22 01:29:24 +04:00
"""
Returns True if given filepath starts with a Windows drive letter
"""
return re.search("\A[\w]\:", filepath) is not None
def posixToNtSlashes(filepath):
2010-08-21 01:27:47 +04:00
"""
Replaces all occurances of Posix slashes (/) in provided
filepath with NT ones (/)
2010-08-21 01:27:47 +04:00
>>> posixToNtSlashes('C:/Windows')
'C:\\\\Windows'
"""
2010-10-16 19:10:48 +04:00
return filepath.replace('/', '\\')
def ntToPosixSlashes(filepath):
2010-08-21 01:27:47 +04:00
"""
Replaces all occurances of NT slashes (\) in provided
filepath with Posix ones (/)
2010-08-21 01:27:47 +04:00
>>> ntToPosixSlashes('C:\\Windows')
'C:/Windows'
"""
2010-10-16 19:10:48 +04:00
return filepath.replace('\\', '/')
def isBase64EncodedString(subject):
2010-08-21 01:27:47 +04:00
"""
Checks if the provided string is Base64 encoded
2010-08-21 01:27:47 +04:00
>>> isBase64EncodedString('dGVzdA==')
True
>>> isBase64EncodedString('123456')
False
"""
2010-10-16 19:10:48 +04:00
return re.match(r"\A(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z", subject) is not None
def isHexEncodedString(subject):
2010-08-21 01:27:47 +04:00
"""
Checks if the provided string is hex encoded
2010-08-21 01:27:47 +04:00
>>> isHexEncodedString('DEADBEEF')
True
>>> isHexEncodedString('test')
False
"""
2010-10-16 19:10:48 +04:00
2010-10-21 02:12:53 +04:00
return re.match(r"\A[0-9a-fA-Fx]+\Z", subject) is not None
def getConsoleWidth(default=80):
2011-10-22 01:29:24 +04:00
"""
Returns console width
"""
width = None
2012-07-01 03:19:54 +04:00
if os.getenv("COLUMNS", "").isdigit():
width = int(os.getenv("COLUMNS"))
else:
output=execute('stty size', shell=True, stdout=PIPE, stderr=PIPE).stdout.read()
items = output.split()
2010-10-16 19:10:48 +04:00
if len(items) == 2 and items[1].isdigit():
width = int(items[1])
if width is None:
try:
import curses
2010-10-16 19:10:48 +04:00
stdscr = curses.initscr()
_, width = stdscr.getmaxyx()
curses.endwin()
except:
pass
2012-07-01 03:19:54 +04:00
return width or default
2010-04-16 23:57:00 +04:00
2010-11-24 00:00:42 +03:00
def clearConsoleLine(forceOutput=False):
2011-10-22 01:29:24 +04:00
"""
Clears current console line
"""
2012-12-12 19:45:29 +04:00
if getattr(LOGGER_HANDLER, "is_tty", False):
dataToStdout("\r%s\r" % (" " * (getConsoleWidth() - 1)), forceOutput)
kb.prependFlag = False
kb.stickyLevel = None
2010-04-16 23:57:00 +04:00
def parseXmlFile(xmlFile, handler):
2011-10-22 01:29:24 +04:00
"""
Parses XML file by a given handler
"""
2012-07-01 03:19:54 +04:00
with contextlib.closing(StringIO(readCachedFileContent(xmlFile))) as stream:
2012-07-01 02:33:19 +04:00
parse(stream, handler)
2012-07-10 03:19:32 +04:00
def getSQLSnippet(dbms, sfile, **variables):
"""
2012-07-10 03:19:32 +04:00
Returns content of SQL snippet located inside 'procs/' directory
"""
2012-02-15 17:24:02 +04:00
if sfile.endswith('.sql') and os.path.exists(sfile):
2012-07-10 03:53:07 +04:00
filename = sfile
elif not sfile.endswith('.sql') and os.path.exists("%s.sql" % sfile):
filename = "%s.sql" % sfile
2012-07-10 03:53:07 +04:00
else:
filename = os.path.join(paths.SQLMAP_PROCS_PATH, DBMS_DIRECTORY_DICT[dbms], sfile if sfile.endswith('.sql') else "%s.sql" % sfile)
checkFile(filename)
2012-02-15 17:24:02 +04:00
2012-07-10 03:19:32 +04:00
retVal = readCachedFileContent(filename)
2012-04-02 18:57:15 +04:00
retVal = re.sub(r"#.+", "", retVal)
retVal = re.sub(r"(?s);\s+", "; ", retVal).strip("\r\n")
2012-02-15 17:45:10 +04:00
for _ in variables.keys():
2012-02-20 23:35:57 +04:00
retVal = re.sub(r"%%%s%%" % _, variables[_], retVal)
2012-02-15 17:24:02 +04:00
for _ in re.findall(r"%RANDSTR\d+%", retVal, re.I):
retVal = retVal.replace(_, randomStr())
for _ in re.findall(r"%RANDINT\d+%", retVal, re.I):
retVal = retVal.replace(_, randomInt())
variables = re.findall(r"%(\w+)%", retVal, re.I)
2012-07-10 03:19:32 +04:00
if variables:
errMsg = "unresolved variable%s '%s' in SQL file '%s'" % ("s" if len(variables) > 1 else "", ", ".join(variables), sfile)
logger.error(errMsg)
msg = "do you want to provide the substitution values? [y/N] "
choice = readInput(msg, default="N")
if choice and choice[0].lower() == "y":
for var in variables:
msg = "insert value for variable '%s': " % var
val = readInput(msg)
retVal = retVal.replace(r"%%%s%%" % var, val)
2012-02-15 17:24:02 +04:00
return retVal
def readCachedFileContent(filename, mode='rb'):
2011-10-22 01:29:24 +04:00
"""
Cached reading of file content (avoiding multiple same file reading)
"""
if filename not in kb.cache.content:
2012-06-14 17:52:56 +04:00
with kb.locks.cache:
if filename not in kb.cache.content:
checkFile(filename)
with codecs.open(filename, mode, UNICODE_ENCODING) as f:
2012-07-01 03:19:54 +04:00
kb.cache.content[filename] = f.read()
return kb.cache.content[filename]
2010-10-07 02:43:04 +04:00
def readXmlFile(xmlFile):
2011-10-22 01:29:24 +04:00
"""
2012-03-14 02:03:23 +04:00
Reads XML file content and returns its DOM representation
2011-10-22 01:29:24 +04:00
"""
checkFile(xmlFile)
2010-12-09 03:26:06 +03:00
2011-12-21 23:40:42 +04:00
with codecs.open(xmlFile, 'r', UNICODE_ENCODING) as f:
retVal = minidom.parse(f).documentElement
2010-12-09 03:26:06 +03:00
2010-10-07 02:43:04 +04:00
return retVal
def stdev(values):
"""
Computes standard deviation of a list of numbers.
2010-12-08 01:45:38 +03:00
Reference: http://www.goldb.org/corestats.html
"""
2010-12-09 03:26:06 +03:00
2010-12-08 01:45:38 +03:00
if not values or len(values) < 2:
return None
2010-12-14 15:22:17 +03:00
key = (values[0], values[-1], len(values))
2010-12-14 15:22:17 +03:00
if key in kb.cache.stdev:
2011-12-21 23:40:42 +04:00
retVal = kb.cache.stdev[key]
2010-12-14 15:22:17 +03:00
else:
avg = average(values)
2011-12-26 16:24:39 +04:00
_ = reduce(lambda x, y: x + pow((y or 0) - avg, 2), values, 0.0)
2012-02-22 19:53:36 +04:00
retVal = sqrt(_ / (len(values) - 1))
2010-12-14 15:22:17 +03:00
kb.cache.stdev[key] = retVal
2011-12-21 23:40:42 +04:00
return retVal
2010-12-07 19:04:53 +03:00
def average(values):
2010-08-21 01:27:47 +04:00
"""
2010-12-07 19:04:53 +03:00
Computes the arithmetic mean of a list of numbers.
2010-08-21 01:27:47 +04:00
"""
2011-10-22 01:29:24 +04:00
2012-07-01 03:19:54 +04:00
return (sum(values) / len(values)) if values else None
2010-12-07 19:04:53 +03:00
def calculateDeltaSeconds(start):
"""
Returns elapsed time from start till now
"""
2011-10-22 01:29:24 +04:00
2010-12-07 19:04:53 +03:00
return time.time() - start
2010-05-21 13:35:36 +04:00
2010-05-21 16:19:20 +04:00
def initCommonOutputs():
2011-10-22 01:29:24 +04:00
"""
Initializes dictionary containing common output values used by "good samaritan" feature
"""
2010-05-21 16:19:20 +04:00
kb.commonOutputs = {}
2010-05-21 16:44:09 +04:00
key = None
2011-12-21 23:40:42 +04:00
with codecs.open(paths.COMMON_OUTPUTS, 'r', UNICODE_ENCODING) as f:
2012-02-22 19:53:36 +04:00
for line in f.readlines(): # xreadlines doesn't return unicode strings when codec.open() is used
2011-12-21 23:40:42 +04:00
if line.find('#') != -1:
line = line[:line.find('#')]
2010-05-24 19:46:12 +04:00
2011-12-21 23:40:42 +04:00
line = line.strip()
2010-05-27 20:45:09 +04:00
2011-12-21 23:40:42 +04:00
if len(line) > 1:
if line.startswith('[') and line.endswith(']'):
key = line[1:-1]
elif key:
if key not in kb.commonOutputs:
kb.commonOutputs[key] = set()
2010-05-24 19:46:12 +04:00
2011-12-21 23:40:42 +04:00
if line not in kb.commonOutputs[key]:
kb.commonOutputs[key].add(line)
2010-05-21 16:19:20 +04:00
2010-12-26 14:15:02 +03:00
def getFileItems(filename, commentPrefix='#', unicode_=True, lowercase=False, unique=False):
2011-10-22 01:29:24 +04:00
"""
Returns newline delimited items contained inside file
"""
2011-12-22 14:51:41 +04:00
retVal = list() if not unique else OrderedDict()
2010-09-30 16:35:45 +04:00
checkFile(filename)
2011-12-22 02:09:21 +04:00
with codecs.open(filename, 'r', UNICODE_ENCODING) if unicode_ else open(filename, 'r') as f:
2012-02-22 19:53:36 +04:00
for line in (f.readlines() if unicode_ else f.xreadlines()): # xreadlines doesn't return unicode strings when codec.open() is used
2011-12-22 02:09:21 +04:00
if commentPrefix:
if line.find(commentPrefix) != -1:
line = line[:line.find(commentPrefix)]
2011-01-07 19:50:39 +03:00
2011-12-22 02:09:21 +04:00
line = line.strip()
2011-01-07 19:50:39 +03:00
2011-12-22 02:09:21 +04:00
if not unicode_:
try:
line = str.encode(line)
except UnicodeDecodeError:
continue
2011-01-07 19:50:39 +03:00
2011-12-22 02:09:21 +04:00
if line:
if lowercase:
line = line.lower()
2011-01-07 19:50:39 +03:00
2011-12-22 02:09:21 +04:00
if unique and line in retVal:
continue
2010-09-30 16:35:45 +04:00
2011-12-22 02:09:21 +04:00
if unique:
2011-12-22 14:51:41 +04:00
retVal[line] = True
2011-12-22 02:09:21 +04:00
else:
retVal.append(line)
2011-12-21 23:40:42 +04:00
2011-12-22 14:51:41 +04:00
return retVal if not unique else retVal.keys()
2010-09-30 16:35:45 +04:00
def goGoodSamaritan(prevValue, originalCharset):
2010-05-26 15:14:22 +04:00
"""
2010-05-27 20:45:09 +04:00
Function for retrieving parameters needed for common prediction (good
samaritan) feature.
prevValue: retrieved query output so far (e.g. 'i').
Returns commonValue if there is a complete single match (in kb.partRun
of txt/common-outputs.txt under kb.partRun) regarding parameter
prevValue. If there is no single value match, but multiple, commonCharset is
2010-05-27 20:45:09 +04:00
returned containing more probable characters (retrieved from matched
values in txt/common-outputs.txt) together with the rest of charset as
otherCharset.
2010-05-26 15:14:22 +04:00
"""
2010-05-27 20:45:09 +04:00
2010-05-24 19:46:12 +04:00
if kb.commonOutputs is None:
2010-05-21 16:19:20 +04:00
initCommonOutputs()
2010-05-21 13:35:36 +04:00
predictionSet = set()
commonValue = None
commonPattern = None
countCommonValue = 0
2010-05-21 16:44:09 +04:00
# If the header (e.g. Databases) we are looking for has common
# outputs defined
if kb.partRun in kb.commonOutputs:
commonPartOutputs = kb.commonOutputs[kb.partRun]
2010-06-30 15:22:25 +04:00
commonPattern = commonFinderOnly(prevValue, commonPartOutputs)
# If the longest common prefix is the same as previous value then
# do not consider it
if commonPattern and commonPattern == prevValue:
commonPattern = None
# For each common output
for item in commonPartOutputs:
2010-05-27 20:45:09 +04:00
# Check if the common output (item) starts with prevValue
# where prevValue is the enumerated character(s) so far
if item.startswith(prevValue):
commonValue = item
countCommonValue += 1
2010-05-27 20:45:09 +04:00
if len(item) > len(prevValue):
char = item[len(prevValue)]
predictionSet.add(char)
# Reset single value if there is more than one possible common
# output
if countCommonValue > 1:
commonValue = None
2010-05-24 19:46:12 +04:00
2010-05-27 20:45:09 +04:00
commonCharset = []
2010-05-21 16:44:09 +04:00
otherCharset = []
2010-05-24 19:46:12 +04:00
2010-05-27 20:45:09 +04:00
# Split the original charset into common chars (commonCharset)
# and other chars (otherCharset)
for ordChar in originalCharset:
2010-05-21 13:35:36 +04:00
if chr(ordChar) not in predictionSet:
2010-05-21 16:44:09 +04:00
otherCharset.append(ordChar)
2010-05-21 13:35:36 +04:00
else:
2010-05-27 20:45:09 +04:00
commonCharset.append(ordChar)
2010-05-24 19:46:12 +04:00
2010-05-27 20:45:09 +04:00
commonCharset.sort()
2010-05-24 19:46:12 +04:00
return commonValue, commonPattern, commonCharset, originalCharset
2010-05-21 13:35:36 +04:00
else:
return None, None, None, originalCharset
2010-05-21 18:42:59 +04:00
def getPartRun():
2010-05-26 15:14:22 +04:00
"""
2010-11-12 13:02:02 +03:00
Goes through call stack and finds constructs matching conf.dbmsHandler.*.
2010-05-27 20:45:09 +04:00
Returns it or its alias used in txt/common-outputs.txt
2010-05-26 15:14:22 +04:00
"""
2010-05-27 20:45:09 +04:00
retVal = None
2010-05-27 20:45:09 +04:00
commonPartsDict = optDict["Enumeration"]
2011-07-27 12:25:51 +04:00
try:
stack = [item[4][0] if isinstance(item[4], list) else '' for item in inspect.stack()]
# Goes backwards through the stack to find the conf.dbmsHandler method
# calling this function
2012-02-22 19:53:36 +04:00
for i in xrange(0, len(stack) - 1):
for regex in (r"self\.(get[^(]+)\(\)", r"conf\.dbmsHandler\.([^(]+)\(\)"):
match = re.search(regex, stack[i])
2011-07-27 12:25:51 +04:00
if match:
# This is the calling conf.dbmsHandler or self method
# (e.g. 'getDbms')
retVal = match.groups()[0]
break
if retVal is not None:
break
2010-05-27 20:45:09 +04:00
2011-07-27 12:25:51 +04:00
# Reference: http://coding.derkeiler.com/Archive/Python/comp.lang.python/2004-06/2267.html
except TypeError:
pass
2010-05-27 20:45:09 +04:00
# Return the INI tag to consider for common outputs (e.g. 'Databases')
2011-07-27 12:25:51 +04:00
return commonPartsDict[retVal][1] if isinstance(commonPartsDict.get(retVal), tuple) else retVal
2010-05-28 13:13:50 +04:00
2012-02-07 14:46:55 +04:00
def getUnicode(value, encoding=None, system=False, noneToNull=False):
2010-08-21 01:01:51 +04:00
"""
Return the unicode representation of the supplied value:
>>> getUnicode(u'test')
u'test'
>>> getUnicode('test')
u'test'
>>> getUnicode(1)
u'1'
"""
2010-10-15 14:28:06 +04:00
2012-02-07 14:46:55 +04:00
if noneToNull and value is None:
return NULL
2012-06-14 17:38:53 +04:00
if isListLike(value):
2012-02-07 14:46:55 +04:00
value = list(getUnicode(_, encoding, system, noneToNull) for _ in value)
return value
if not system:
if isinstance(value, unicode):
return value
elif isinstance(value, basestring):
return unicode(value, encoding or kb.pageEncoding or UNICODE_ENCODING, "replace")
else:
2012-02-22 19:53:36 +04:00
return unicode(value) # encoding ignored for non-basestring instances
2010-06-02 16:31:36 +04:00
else:
try:
return getUnicode(value, sys.getfilesystemencoding() or sys.stdin.encoding)
except:
return getUnicode(value, UNICODE_ENCODING)
2010-06-02 16:31:36 +04:00
2010-06-30 15:22:25 +04:00
def longestCommonPrefix(*sequences):
2011-10-22 01:29:24 +04:00
"""
Returns longest common prefix occuring in given sequences
2012-07-01 03:19:54 +04:00
Reference: http://boredzo.org/blog/archives/2007-01-06/longest-common-prefix-in-python-2
2011-10-22 01:29:24 +04:00
"""
if len(sequences) == 1:
return sequences[0]
sequences = [pair[1] for pair in sorted((len(fi), fi) for fi in sequences)]
if not sequences:
return None
for i, comparison_ch in enumerate(sequences[0]):
for fi in sequences[1:]:
ch = fi[i]
if ch != comparison_ch:
return fi[:i]
return sequences[0]
2010-06-30 15:22:25 +04:00
def commonFinderOnly(initial, sequence):
return longestCommonPrefix(*filter(lambda x: x.startswith(initial), sequence))
2010-09-25 01:59:03 +04:00
2010-12-21 01:45:01 +03:00
def pushValue(value):
"""
Push value to the stack (thread dependent)
"""
2011-07-08 10:02:31 +04:00
getCurrentThreadData().valueStack.append(copy.deepcopy(value))
2010-09-30 16:35:45 +04:00
def popValue():
2010-10-25 18:06:56 +04:00
"""
2010-12-21 01:45:01 +03:00
Pop value from the stack (thread dependent)
2010-10-25 18:06:56 +04:00
"""
2010-10-26 10:08:40 +04:00
2010-12-21 01:45:01 +03:00
return getCurrentThreadData().valueStack.pop()
2010-10-25 18:06:56 +04:00
def wasLastRequestDBMSError():
2010-10-25 18:06:56 +04:00
"""
Returns True if the last web request resulted in a (recognized) DBMS error page
"""
2010-10-26 10:08:40 +04:00
2010-12-21 01:45:01 +03:00
threadData = getCurrentThreadData()
return threadData.lastErrorPage and threadData.lastErrorPage[0] == threadData.lastRequestUID
2010-12-08 17:26:40 +03:00
2010-12-26 16:20:52 +03:00
def wasLastRequestHTTPError():
"""
Returns True if the last web request resulted in an errornous HTTP code (like 500)
"""
threadData = getCurrentThreadData()
return threadData.lastHTTPError and threadData.lastHTTPError[0] == threadData.lastRequestUID
2010-12-08 17:26:40 +03:00
def wasLastRequestDelayed():
"""
Returns True if the last web request resulted in a time-delay
"""
2012-06-19 12:33:51 +04:00
# 99.9999999997440% of all non time-based SQL injection affected
2011-01-19 02:05:32 +03:00
# response times should be inside +-7*stdev([normal response times])
# Math reference: http://www.answers.com/topic/standard-deviation
2011-10-22 01:29:24 +04:00
2010-12-08 17:46:07 +03:00
deviation = stdev(kb.responseTimes)
2010-12-21 01:45:01 +03:00
threadData = getCurrentThreadData()
2010-12-09 03:26:06 +03:00
2012-01-13 15:16:26 +04:00
if deviation and not conf.direct:
2010-12-08 17:46:07 +03:00
if len(kb.responseTimes) < MIN_TIME_RESPONSES:
2010-12-09 03:26:06 +03:00
warnMsg = "time-based standard deviation method used on a model "
warnMsg += "with less than %d response times" % MIN_TIME_RESPONSES
2010-12-08 17:46:07 +03:00
logger.warn(warnMsg)
2010-12-09 03:26:06 +03:00
lowerStdLimit = average(kb.responseTimes) + TIME_STDEV_COEFF * deviation
retVal = (threadData.lastQueryDuration >= lowerStdLimit)
2012-10-09 17:19:47 +04:00
if not kb.testMode and retVal:
if kb.adjustTimeDelay is None:
msg = "do you want sqlmap to try to optimize value(s) "
msg += "for DBMS delay responses (option '--time-sec')? [Y/n] "
choice = readInput(msg, default='Y')
kb.adjustTimeDelay = ADJUST_TIME_DELAY.DISABLE if choice.upper() == 'N' else ADJUST_TIME_DELAY.YES
if kb.adjustTimeDelay is ADJUST_TIME_DELAY.YES:
adjustTimeDelay(threadData.lastQueryDuration, lowerStdLimit)
return retVal
2010-12-08 17:46:07 +03:00
else:
2011-02-07 15:32:08 +03:00
return (threadData.lastQueryDuration - conf.timeSec) >= 0
2010-10-25 23:16:42 +04:00
def adjustTimeDelay(lastQueryDuration, lowerStdLimit):
"""
Provides tip for adjusting time delay in time-based data retrieval
"""
candidate = 1 + int(round(lowerStdLimit))
if candidate:
kb.delayCandidates = [candidate] + kb.delayCandidates[:-1]
2011-01-19 02:05:32 +03:00
2012-10-09 16:46:45 +04:00
if all((x == candidate for x in kb.delayCandidates)) and candidate < conf.timeSec:
conf.timeSec = candidate
infoMsg = "adjusting time delay to "
infoMsg += "%d second%s due to good response times" % (conf.timeSec, 's' if conf.timeSec > 1 else '')
logger.info(infoMsg)
2012-01-14 00:56:06 +04:00
def getLastRequestHTTPError():
"""
Returns last HTTP error code
"""
threadData = getCurrentThreadData()
return threadData.lastHTTPError[1] if threadData.lastHTTPError else None
def extractErrorMessage(page):
"""
Returns reported error message from page if it founds one
"""
retVal = None
2010-11-16 17:41:46 +03:00
if isinstance(page, basestring):
for regex in ERROR_PARSING_REGEXES:
2010-11-16 17:41:46 +03:00
match = re.search(regex, page, re.DOTALL | re.IGNORECASE)
2010-11-24 15:03:01 +03:00
2010-11-16 17:41:46 +03:00
if match:
retVal = htmlunescape(match.group("result")).replace("<br>", "\n").strip()
break
return retVal
2012-10-16 14:32:58 +04:00
def findMultipartPostBoundary(post):
"""
Finds value for a boundary parameter in given multipart POST body
"""
retVal = None
done = set()
candidates = []
for match in re.finditer(r"(?m)^--(.+?)(--)?$", post or ""):
_ = match.group(1)
if _ in done:
continue
else:
candidates.append((post.count(_), _))
done.add(_)
if candidates:
candidates.sort(key=lambda _: _[0], reverse=True)
retVal = candidates[0][1]
return retVal
2012-12-05 15:15:14 +04:00
def urldecode(value, encoding=None, unsafe="%%&=;+%s" % CUSTOM_INJECTION_MARK_CHAR, convall=False):
2012-11-20 14:19:23 +04:00
result = value
2012-07-31 13:03:44 +04:00
if value:
try:
# for cases like T%C3%BCrk%C3%A7e
value = str(value)
except ValueError:
pass
finally:
2012-10-15 19:55:57 +04:00
if convall:
result = urllib.unquote_plus(value)
else:
2012-10-15 18:23:41 +04:00
def _(match):
2012-10-16 01:15:52 +04:00
charset = reduce(lambda x, y: x.replace(y, ""), unsafe, string.printable)
2012-10-15 18:23:41 +04:00
char = chr(ord(match.group(1).decode("hex")))
2012-10-15 19:55:57 +04:00
return char if char in charset else match.group(0)
2012-10-15 18:23:41 +04:00
result = re.sub("%([0-9a-fA-F]{2})", _, value)
2012-11-14 14:30:29 +04:00
result = result.replace("+", " ") # plus sign has a special meaning in url encoded data (hence the usage of urllib.unquote_plus in convall case)
2012-07-31 13:03:44 +04:00
if isinstance(result, str):
result = unicode(result, encoding or UNICODE_ENCODING, "replace")
return result
def urlencode(value, safe="%&=", convall=False, limit=False):
2012-10-04 13:25:44 +04:00
if conf.direct:
2012-07-31 13:03:44 +04:00
return value
count = 0
result = None if value is None else ""
if value:
if convall or safe is None:
safe = ""
# corner case when character % really needs to be
# encoded (when not representing url encoded char)
# except in cases when tampering scripts are used
if all(map(lambda x: '%' in x, [safe, value])) and not kb.tamperFunctions:
value = re.sub("%(?![0-9a-fA-F]{2})", "%25", value)
while True:
result = urllib.quote(utf8encode(value), safe)
if limit and len(result) > URLENCODE_CHAR_LIMIT:
if count >= len(URLENCODE_FAILSAFE_CHARS):
break
while count < len(URLENCODE_FAILSAFE_CHARS):
safe += URLENCODE_FAILSAFE_CHARS[count]
count += 1
if safe[-1] in value:
break
else:
break
return result
2010-10-28 00:39:50 +04:00
def runningAsAdmin():
2011-10-22 01:29:24 +04:00
"""
Returns True if the current process is run under admin privileges
"""
isAdmin = None
2010-10-28 00:39:50 +04:00
2012-02-22 19:53:36 +04:00
if PLATFORM in ("posix", "mac"):
_ = os.geteuid()
2010-10-28 00:39:50 +04:00
isAdmin = isinstance(_, (int, float, long)) and _ == 0
2010-10-28 00:39:50 +04:00
elif IS_WIN:
_ = ctypes.windll.shell32.IsUserAnAdmin()
2010-10-28 00:39:50 +04:00
isAdmin = isinstance(_, (int, float, long)) and _ == 1
2010-10-28 00:39:50 +04:00
else:
2011-01-19 02:05:32 +03:00
errMsg = "sqlmap is not able to check if you are running it "
errMsg += "as an administrator account on this platform. "
2010-10-28 00:39:50 +04:00
errMsg += "sqlmap will assume that you are an administrator "
errMsg += "which is mandatory for the requested takeover attack "
errMsg += "to work properly"
logger.error(errMsg)
isAdmin = True
return isAdmin
2010-11-08 14:22:47 +03:00
def logHTTPTraffic(requestLogMsg, responseLogMsg):
"""
Logs HTTP traffic to the output file
"""
2011-12-26 16:24:39 +04:00
if not conf.trafficFile:
return
2012-06-14 17:52:56 +04:00
with kb.locks.log:
dataToTrafficFile("%s%s" % (requestLogMsg, os.linesep))
dataToTrafficFile("%s%s" % (responseLogMsg, os.linesep))
dataToTrafficFile("%s%s%s%s" % (os.linesep, 76 * '#', os.linesep, os.linesep))
2012-07-31 13:03:44 +04:00
def getPageTemplate(payload, place): # Cross-linked function
2010-12-18 12:51:34 +03:00
pass
2010-12-15 14:21:47 +03:00
def getPublicTypeMembers(type_, onlyValues=False):
2010-11-23 17:50:47 +03:00
"""
Useful for getting members from types (e.g. in enums)
"""
for name, value in inspect.getmembers(type_):
if not name.startswith('__'):
2010-12-15 14:21:47 +03:00
if not onlyValues:
2011-05-17 00:14:10 +04:00
yield (name, value)
2010-12-15 14:21:47 +03:00
else:
2011-05-17 00:14:10 +04:00
yield value
2010-11-24 14:38:27 +03:00
2010-12-18 12:51:34 +03:00
def enumValueToNameLookup(type_, value_):
"""
Returns name of a enum member with a given value
"""
2010-12-18 12:51:34 +03:00
retVal = None
for name, value in getPublicTypeMembers(type_):
if value == value_:
retVal = name
break
return retVal
def extractRegexResult(regex, content, flags=0):
"""
Returns 'result' group value from a possible match with regex on a given
content
"""
2010-11-24 14:38:27 +03:00
retVal = None
if regex and content and '?P<result>' in regex:
match = re.search(regex, content, flags)
2010-12-07 15:32:58 +03:00
2010-11-24 14:38:27 +03:00
if match:
retVal = match.group("result")
return retVal
2010-11-29 18:14:49 +03:00
def extractTextTagContent(page):
"""
Returns list containing content from "textual" tags
"""
2012-04-12 01:36:37 +04:00
page = re.sub(r"(?si)[^\s>]*%s[^<]*" % REFLECTED_VALUE_MARKER, "", page or "")
return filter(None, (_.group('result').strip() for _ in re.finditer(TEXT_TAG_REGEX, page)))
2010-11-29 18:14:49 +03:00
def trimAlphaNum(value):
"""
Trims alpha numeric characters from start and ending of a given value
"""
2010-11-29 18:14:49 +03:00
while value and value[-1].isalnum():
value = value[:-1]
while value and value[0].isalnum():
value = value[1:]
return value
def isNumPosStrValue(value):
"""
Returns True if value is a string (or integer) with a positive integer representation
"""
return (value and isinstance(value, basestring) and value.isdigit() and value != "0") or (isinstance(value, int) and value != 0)
@cachedmethod
2011-01-14 12:49:14 +03:00
def aliasToDbmsEnum(dbms):
"""
Returns major DBMS name from a given alias
"""
retVal = None
2010-12-10 13:54:17 +03:00
2012-02-07 16:05:23 +04:00
if dbms:
for key, item in DBMS_DICT.items():
if dbms.lower() in item[0] or dbms.lower() == key.lower():
retVal = key
break
2010-12-10 13:54:17 +03:00
return retVal
2010-12-29 22:39:32 +03:00
def findDynamicContent(firstPage, secondPage):
"""
This function checks if the provided pages have dynamic content. If they
are dynamic, proper markings will be made
2010-12-29 22:39:32 +03:00
"""
infoMsg = "searching for dynamic content"
logger.info(infoMsg)
blocks = SequenceMatcher(None, firstPage, secondPage).get_matching_blocks()
kb.dynamicMarkings = []
# Removing too small matching blocks
2011-12-22 02:59:23 +04:00
for block in blocks[:]:
2010-12-29 22:39:32 +03:00
(_, _, length) = block
if length <= DYNAMICITY_MARK_LENGTH:
blocks.remove(block)
# Making of dynamic markings based on prefix/suffix principle
if len(blocks) > 0:
blocks.insert(0, None)
blocks.append(None)
for i in xrange(len(blocks) - 1):
prefix = firstPage[blocks[i][0]:blocks[i][0] + blocks[i][2]] if blocks[i] else None
suffix = firstPage[blocks[i + 1][0]:blocks[i + 1][0] + blocks[i + 1][2]] if blocks[i + 1] else None
if prefix is None and blocks[i + 1][0] == 0:
continue
if suffix is None and (blocks[i][0] + blocks[i][2] >= len(firstPage)):
continue
prefix = trimAlphaNum(prefix)
suffix = trimAlphaNum(suffix)
2012-02-22 19:53:36 +04:00
kb.dynamicMarkings.append((re.escape(prefix[-DYNAMICITY_MARK_LENGTH / 2:]) if prefix else None, re.escape(suffix[:DYNAMICITY_MARK_LENGTH / 2]) if suffix else None))
2010-12-29 22:39:32 +03:00
if len(kb.dynamicMarkings) > 0:
infoMsg = "dynamic content marked for removal (%d region%s)" % (len(kb.dynamicMarkings), 's' if len(kb.dynamicMarkings) > 1 else '')
logger.info(infoMsg)
2010-12-04 13:13:18 +03:00
def removeDynamicContent(page):
"""
2011-01-07 18:41:09 +03:00
Removing dynamic content from supplied page basing removal on
precalculated dynamic markings
"""
2011-01-07 18:41:09 +03:00
2010-12-04 13:13:18 +03:00
if page:
for item in kb.dynamicMarkings:
prefix, suffix = item
2011-01-07 18:41:09 +03:00
if prefix is None and suffix is None:
continue
elif prefix is None:
page = re.sub(r'(?s)^.+%s' % suffix, suffix, page)
2010-12-04 13:13:18 +03:00
elif suffix is None:
page = re.sub(r'(?s)%s.+$' % prefix, prefix, page)
2010-12-04 13:13:18 +03:00
else:
page = re.sub(r'(?s)%s.+%s' % (prefix, suffix), '%s%s' % (prefix, suffix), page)
2010-12-04 13:13:18 +03:00
return page
2010-12-10 13:54:17 +03:00
2011-12-16 16:34:26 +04:00
def filterStringValue(value, regex, replacement=""):
"""
2011-01-07 18:41:09 +03:00
Returns string value consisting only of chars satisfying supplied
2011-11-22 13:00:00 +04:00
regular expression (note: it has to be in form [...])
"""
2011-01-07 18:41:09 +03:00
2011-12-16 16:34:26 +04:00
retVal = value
2012-07-01 02:33:19 +04:00
2011-12-16 16:34:26 +04:00
if value:
retVal = re.sub(regex.replace("[", "[^") if "[^" not in regex else regex.replace("[^", "["), replacement, value)
2012-07-01 02:33:19 +04:00
2011-12-16 16:34:26 +04:00
return retVal
2010-12-10 13:54:17 +03:00
def filterControlChars(value):
"""
2011-01-07 18:41:09 +03:00
Returns string value with control chars being supstituted with ' '
"""
2011-01-07 18:41:09 +03:00
return filterStringValue(value, PRINTABLE_CHAR_REGEX, ' ')
2010-12-10 13:54:17 +03:00
def isDBMSVersionAtLeast(version):
"""
2011-01-07 18:41:09 +03:00
Checks if the recognized DBMS version is at least the version
specified
"""
2011-01-07 18:41:09 +03:00
2010-12-10 13:54:17 +03:00
retVal = None
if Backend.getVersion() and Backend.getVersion() != UNKNOWN_DBMS_VERSION:
value = Backend.getVersion().replace(" ", "").rstrip('.')
2010-12-21 03:47:07 +03:00
while True:
index = value.find('.', value.find('.') + 1)
2011-01-07 18:41:09 +03:00
2010-12-21 03:47:07 +03:00
if index > -1:
value = value[0:index] + value[index + 1:]
else:
break
value = filterStringValue(value, '[0-9.><=]')
2010-12-14 00:55:30 +03:00
if isinstance(value, basestring):
if value.startswith(">="):
value = float(value.replace(">=", ""))
elif value.startswith(">"):
value = float(value.replace(">", "")) + 0.01
elif value.startswith("<="):
value = float(value.replace("<=", ""))
elif value.startswith(">"):
value = float(value.replace("<", "")) - 0.01
retVal = getUnicode(value) >= getUnicode(version)
2010-12-10 13:54:17 +03:00
return retVal
def parseSqliteTableSchema(value):
"""
2011-01-07 18:41:09 +03:00
Parses table column names and types from specified SQLite table schema
"""
2011-01-07 18:41:09 +03:00
if value:
table = {}
columns = {}
for match in re.finditer(r"(\w+)\s+(TEXT|NUMERIC|INTEGER|REAL|NONE)", value):
columns[match.group(1)] = match.group(2)
table[conf.tbl] = columns
kb.data.cachedColumns[conf.db] = table
2010-12-15 14:21:47 +03:00
def getTechniqueData(technique=None):
"""
Returns injection data for technique specified
"""
2011-01-07 18:41:09 +03:00
2012-07-06 19:18:22 +04:00
return kb.injection.data.get(technique)
2010-12-15 14:46:28 +03:00
def isTechniqueAvailable(technique):
"""
2011-01-07 18:41:09 +03:00
Returns True if there is injection data which sqlmap could use for
technique specified
"""
2011-02-02 01:05:12 +03:00
if conf.tech and isinstance(conf.tech, list) and technique not in conf.tech:
return False
else:
return getTechniqueData(technique) is not None
2010-12-18 12:51:34 +03:00
def isInferenceAvailable():
2012-02-16 18:42:28 +04:00
"""
Returns True whether techniques using inference technique are available
"""
return any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.STACKED, PAYLOAD.TECHNIQUE.TIME))
def setOptimize():
2012-07-01 03:19:54 +04:00
"""
Sets options turned on by switch '-o'
"""
#conf.predictOutput = True
conf.keepAlive = True
conf.threads = 3 if conf.threads < 3 else conf.threads
2012-07-26 14:06:02 +04:00
conf.nullConnection = not any([conf.data, conf.textOnly, conf.titles, conf.string, conf.notString, conf.regexp, conf.tor])
if not conf.nullConnection:
debugMsg = "turning off --null-connection switch used indirectly by switch -o"
logger.debug(debugMsg)
2010-12-18 12:51:34 +03:00
def initTechnique(technique=None):
"""
2011-12-21 15:50:49 +04:00
Prepares data for technique specified
"""
try:
data = getTechniqueData(technique)
2011-12-21 15:50:49 +04:00
resetCounter(technique)
2011-01-07 18:41:09 +03:00
if data:
kb.pageTemplate, kb.errorIsNone = getPageTemplate(data.templatePayload, kb.injection.place)
2011-01-14 17:55:59 +03:00
kb.matchRatio = data.matchRatio
kb.negativeLogic = (technique == PAYLOAD.TECHNIQUE.BOOLEAN) and (data.where == PAYLOAD.WHERE.NEGATIVE)
2011-01-14 17:55:59 +03:00
# Restoring stored conf options
2011-01-14 18:33:49 +03:00
for key, value in kb.injection.conf.items():
if value and (not hasattr(conf, key) or (hasattr(conf, key) and not getattr(conf, key))):
2011-01-14 18:33:49 +03:00
setattr(conf, key, value)
2011-01-16 02:20:52 +03:00
debugMsg = "resuming configuration option '%s' (%s)" % (key, value)
2011-01-14 18:33:49 +03:00
logger.debug(debugMsg)
if value and key == "optimize":
setOptimize()
else:
warnMsg = "there is no injection data available for technique "
warnMsg += "'%s'" % enumValueToNameLookup(PAYLOAD.TECHNIQUE, technique)
logger.warn(warnMsg)
except SqlmapDataException:
errMsg = "missing data in old session file(s). "
2011-12-22 15:55:02 +04:00
errMsg += "Please use '--flush-session' to deal "
errMsg += "with this error"
raise SqlmapNoneDataException, errMsg
def arrayizeValue(value):
"""
2012-02-29 19:38:01 +04:00
Makes a list out of value if it is not already a list or tuple itself
"""
2011-01-07 18:41:09 +03:00
2012-06-14 17:38:53 +04:00
if not isListLike(value):
2012-02-22 19:53:36 +04:00
value = [value]
2011-01-07 18:41:09 +03:00
return value
def unArrayizeValue(value):
"""
2012-02-29 19:38:01 +04:00
Makes a value out of iterable if it is a list or tuple itself
"""
2012-06-14 17:38:53 +04:00
if isListLike(value):
value = value[0] if len(value) > 0 else None
return value
def flattenValue(value):
"""
Returns an iterator representing flat representation of a given value
"""
for i in iter(value):
2012-06-14 17:38:53 +04:00
if isListLike(i):
for j in flattenValue(i):
yield j
else:
yield i
2012-06-14 17:38:53 +04:00
def isListLike(value):
"""
Returns True if the given value is a list-like instance
"""
return isinstance(value, (list, tuple, set, BigArray))
def getSortedInjectionTests():
"""
2011-01-07 18:41:09 +03:00
Returns prioritized test list by eventually detected DBMS from error
messages
"""
2011-01-07 18:41:09 +03:00
2012-07-26 02:49:51 +04:00
retVal = copy.deepcopy(conf.tests)
2011-01-07 18:41:09 +03:00
def priorityFunction(test):
2011-12-21 23:40:42 +04:00
retVal = SORT_ORDER.FIRST
2011-01-13 14:23:07 +03:00
2011-01-13 14:08:29 +03:00
if test.stype == PAYLOAD.TECHNIQUE.UNION:
2011-12-21 23:40:42 +04:00
retVal = SORT_ORDER.LAST
2011-01-13 14:23:07 +03:00
2011-01-13 14:08:29 +03:00
elif 'details' in test and 'dbms' in test.details:
if test.details.dbms in Backend.getErrorParsedDBMSes():
2011-12-21 23:40:42 +04:00
retVal = SORT_ORDER.SECOND
else:
2011-12-21 23:40:42 +04:00
retVal = SORT_ORDER.THIRD
2011-01-13 14:23:07 +03:00
return retVal
if Backend.getErrorParsedDBMSes():
retVal = sorted(retVal, key=priorityFunction)
return retVal
def filterListValue(value, regex):
"""
2011-01-07 18:41:09 +03:00
Returns list with items that have parts satisfying given regular
expression
"""
2011-01-07 18:41:09 +03:00
2011-05-17 00:09:12 +04:00
if isinstance(value, list) and regex:
retVal = filter(lambda _: re.search(regex, _, re.I), value)
else:
2011-05-17 00:09:12 +04:00
retVal = value
return retVal
def showHttpErrorCodes():
2011-01-03 11:46:20 +03:00
"""
2011-01-07 18:41:09 +03:00
Shows all HTTP error codes raised till now
2011-01-03 11:46:20 +03:00
"""
2011-01-07 18:41:09 +03:00
if kb.httpErrorCodes:
2012-12-11 18:24:02 +04:00
warnMsg = "HTTP error codes detected during run:\n"
2011-01-07 18:41:09 +03:00
warnMsg += ", ".join("%d (%s) - %d times" % (code, httplib.responses[code] \
if code in httplib.responses else '?', count) \
for code, count in kb.httpErrorCodes.items())
logger.warn(warnMsg)
2011-01-03 11:46:20 +03:00
def getComparePageRatio(firstPage, secondPage, filtered=False):
"""
2011-01-07 18:41:09 +03:00
Returns comparison ratio between two given pages
2011-01-03 11:46:20 +03:00
"""
2011-01-07 18:41:09 +03:00
2011-01-03 11:46:20 +03:00
if filtered:
2011-01-14 17:55:59 +03:00
(firstPage, secondPage) = map(getFilteredPageContent, (firstPage, secondPage))
2011-01-03 11:46:20 +03:00
seqMatcher = getCurrentThreadData().seqMatcher
seqMatcher.set_seq1(firstPage)
seqMatcher.set_seq2(secondPage)
2011-01-03 11:46:20 +03:00
return seqMatcher.quick_ratio()
def openFile(filename, mode='r'):
"""
Returns file handle of a given filename
"""
try:
return codecs.open(filename, mode, UNICODE_ENCODING, "replace")
except IOError:
errMsg = "there has been a file opening error for filename '%s'. " % filename
2011-01-19 02:05:32 +03:00
errMsg += "Please check %s permissions on a file " % ("write" if \
mode and ('w' in mode or 'a' in mode or '+' in mode) else "read")
errMsg += "and that it's not locked by another process."
raise SqlmapFilePathException, errMsg
2011-01-19 18:25:48 +03:00
def decodeIntToUnicode(value):
"""
2012-07-23 21:31:06 +04:00
Decodes inferenced integer value to an unicode character
2011-01-19 18:25:48 +03:00
"""
2012-07-23 21:31:06 +04:00
retVal = value
if isinstance(value, int):
try:
# http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_ord
if Backend.getIdentifiedDbms() in (DBMS.MYSQL,):
retVal = getUnicode(hexdecode(hex(value)))
elif value > 255:
retVal = unichr(value)
else:
retVal = getUnicode(chr(value))
2012-07-23 21:31:06 +04:00
except:
retVal = INFERENCE_UNKNOWN_CHAR
return retVal
def unhandledExceptionMessage():
"""
Returns detailed message about occured unhandled exception
"""
2011-04-30 17:20:05 +04:00
errMsg = "unhandled exception in %s, retry your " % VERSION_STRING
2012-07-08 01:49:34 +04:00
errMsg += "run with the latest development version from the GitHub "
errMsg += "repository. If the exception persists, please send by e-mail "
2012-07-04 22:28:18 +04:00
errMsg += "to '%s' or open a new issue at '%s' with the following text " % (ML, ISSUES_PAGE)
errMsg += "and any information required to reproduce the bug. The "
errMsg += "developers will try to reproduce the bug, fix it accordingly "
errMsg += "and get back to you.\n"
2012-07-03 15:06:52 +04:00
errMsg += "sqlmap version: %s%s\n" % (VERSION, "-%s" % REVISION if REVISION else "")
errMsg += "Python version: %s\n" % PYVERSION
errMsg += "Operating system: %s\n" % PLATFORM
2011-02-02 17:25:16 +03:00
errMsg += "Command line: %s\n" % " ".join(sys.argv)
errMsg += "Technique: %s\n" % (enumValueToNameLookup(PAYLOAD.TECHNIQUE, kb.technique) if kb.get("technique") else None)
2011-02-01 01:34:57 +03:00
errMsg += "Back-end DBMS: %s" % ("%s (fingerprinted)" % Backend.getDbms() if Backend.getDbms() is not None else "%s (identified)" % Backend.getIdentifiedDbms())
2011-12-21 23:40:42 +04:00
2011-02-02 17:25:16 +03:00
return maskSensitiveData(errMsg)
def maskSensitiveData(msg):
"""
Masks sensitive data in the supplied message
"""
retVal = msg
2012-02-23 19:32:36 +04:00
for item in filter(None, map(lambda x: conf.get(x), ("hostname", "googleDork", "aCred", "pCred", "tbl", "db", "col", "user", "cookie", "proxy"))):
2012-05-25 00:53:01 +04:00
regex = SENSITIVE_DATA_REGEX % re.sub("(\W)", r"\\\1", item)
2011-02-02 17:35:21 +03:00
while extractRegexResult(regex, retVal):
value = extractRegexResult(regex, retVal)
2012-02-22 19:53:36 +04:00
retVal = retVal.replace(value, '*' * len(value))
2011-02-02 17:25:16 +03:00
return retVal
def listToStrValue(value):
"""
Flattens list to a string value
>>> listToStrValue([1,2,3])
'1, 2, 3'
"""
2011-02-01 01:51:14 +03:00
if isinstance(value, (set, tuple)):
value = list(value)
if isinstance(value, list):
2011-02-01 14:10:23 +03:00
retVal = value.__str__().lstrip('[').rstrip(']')
else:
2011-02-01 14:10:23 +03:00
retVal = value
2011-02-01 14:10:23 +03:00
return retVal
def getExceptionFrameLocals():
"""
Returns dictionary with local variable content from frame
2012-02-16 18:42:28 +04:00
where exception has been raised
"""
retVal = {}
2011-02-01 14:10:23 +03:00
if sys.exc_info():
trace = sys.exc_info()[2]
while trace.tb_next:
trace = trace.tb_next
retVal = trace.tb_frame.f_locals
2011-02-01 14:10:23 +03:00
return retVal
2011-08-29 17:47:32 +04:00
def intersect(valueA, valueB, lowerCase=False):
"""
Returns intersection of the array-ized values
"""
retVal = None
if valueA and valueB:
2011-08-29 17:47:32 +04:00
valueA = arrayizeValue(valueA)
valueB = arrayizeValue(valueB)
if lowerCase:
2012-01-03 21:28:50 +04:00
valueA = [val.lower() if isinstance(val, basestring) else val for val in valueA]
valueB = [val.lower() if isinstance(val, basestring) else val for val in valueB]
2011-08-29 17:47:32 +04:00
retVal = [val for val in valueA if val in valueB]
return retVal
2011-02-22 15:54:22 +03:00
def cpuThrottle(value):
"""
2011-12-20 19:01:27 +04:00
Does a CPU throttling for lesser CPU consumption
2011-02-22 15:54:22 +03:00
"""
2011-02-22 15:54:22 +03:00
delay = 0.00001 * (value ** 2)
time.sleep(delay)
def removeReflectiveValues(content, payload, suppressWarning=False):
"""
Neutralizes reflective values in a given content based on a payload
2012-04-12 01:48:44 +04:00
(e.g. ..search.php?q=1 AND 1=2 --> "...searching for <b>1%20AND%201%3D2</b>..." --> "...searching for <b>__REFLECTED_VALUE__</b>...")
"""
2011-02-25 12:35:24 +03:00
retVal = content
2011-06-06 17:34:49 +04:00
if all([content, payload]) and isinstance(content, unicode) and kb.reflectiveMechanism:
def _(value):
while 2 * REFLECTED_REPLACEMENT_REGEX in value:
value = value.replace(2 * REFLECTED_REPLACEMENT_REGEX, REFLECTED_REPLACEMENT_REGEX)
return value
2011-02-26 20:48:19 +03:00
payload = getUnicode(urldecode(payload.replace(PAYLOAD_DELIMITER, ''), convall=True))
regex = _(filterStringValue(payload, r"[A-Za-z0-9]", REFLECTED_REPLACEMENT_REGEX.encode("string-escape")))
2011-02-26 20:48:19 +03:00
2012-04-11 12:58:03 +04:00
if regex != payload:
if all(part.lower() in content.lower() for part in filter(None, regex.split(REFLECTED_REPLACEMENT_REGEX))[1:]): # fast optimization check
2012-04-11 12:58:03 +04:00
parts = regex.split(REFLECTED_REPLACEMENT_REGEX)
2012-04-12 03:01:38 +04:00
retVal = content.replace(payload, REFLECTED_VALUE_MARKER) # dummy approach
2012-04-11 12:58:03 +04:00
if len(parts) > REFLECTED_MAX_REGEX_PARTS: # preventing CPU hogs
regex = _("%s%s%s" % (REFLECTED_REPLACEMENT_REGEX.join(parts[:REFLECTED_MAX_REGEX_PARTS / 2]), REFLECTED_REPLACEMENT_REGEX, REFLECTED_REPLACEMENT_REGEX.join(parts[-REFLECTED_MAX_REGEX_PARTS / 2:])))
parts = filter(None, regex.split(REFLECTED_REPLACEMENT_REGEX))
if regex.startswith(REFLECTED_REPLACEMENT_REGEX):
regex = r"%s%s" % (REFLECTED_BORDER_REGEX, regex[len(REFLECTED_REPLACEMENT_REGEX):])
else:
regex = r"\b%s" % regex
if regex.endswith(REFLECTED_REPLACEMENT_REGEX):
regex = r"%s%s" % (regex[:-len(REFLECTED_REPLACEMENT_REGEX)], REFLECTED_BORDER_REGEX)
else:
regex = r"%s\b" % regex
2012-04-12 03:01:38 +04:00
retVal = re.sub(r"(?i)%s" % regex, REFLECTED_VALUE_MARKER, retVal)
if len(parts) > 2:
regex = REFLECTED_REPLACEMENT_REGEX.join(parts[1:])
2012-04-12 03:01:38 +04:00
retVal = re.sub(r"(?i)\b%s\b" % regex, REFLECTED_VALUE_MARKER, retVal)
2012-04-11 12:58:03 +04:00
if retVal != content:
kb.reflectiveCounters[REFLECTIVE_COUNTER.HIT] += 1
2011-05-30 13:46:32 +04:00
if not suppressWarning:
2012-04-11 12:58:03 +04:00
warnMsg = "reflective value(s) found and filtering out"
singleTimeWarnMessage(warnMsg)
2012-05-14 18:38:16 +04:00
if re.search(r"FRAME[^>]+src=[^>]*%s" % REFLECTED_VALUE_MARKER, retVal, re.I):
warnMsg = "frames detected containing attacked parameter values. Please be sure to "
warnMsg += "test those separately in case that attack on this page fails"
singleTimeWarnMessage(warnMsg)
2012-04-11 12:58:03 +04:00
elif not kb.testMode and not kb.reflectiveCounters[REFLECTIVE_COUNTER.HIT]:
kb.reflectiveCounters[REFLECTIVE_COUNTER.MISS] += 1
if kb.reflectiveCounters[REFLECTIVE_COUNTER.MISS] > REFLECTIVE_MISS_THRESHOLD:
kb.reflectiveMechanism = False
if not suppressWarning:
debugMsg = "turning off reflection removal mechanism (for optimization purposes)"
logger.debug(debugMsg)
return retVal
def normalizeUnicode(value):
"""
Does an ASCII normalization of unicode strings
Reference: http://www.peterbe.com/plog/unicode-to-ascii
"""
2012-07-06 19:18:22 +04:00
return unicodedata.normalize('NFKD', value).encode('ascii', 'ignore') if isinstance(value, unicode) else value
2011-03-30 01:54:15 +04:00
def safeSQLIdentificatorNaming(name, isTable=False):
"""
2011-06-16 17:41:02 +04:00
Returns a safe representation of SQL identificator name (internal data format)
2012-08-15 00:28:42 +04:00
Reference: http://stackoverflow.com/questions/954884/what-special-characters-are-allowed-in-t-sql-column-retVal
2011-03-30 01:54:15 +04:00
"""
2011-03-30 01:54:15 +04:00
retVal = name
2011-03-30 01:54:15 +04:00
if isinstance(name, basestring):
2012-07-17 01:13:21 +04:00
retVal = getUnicode(name)
_ = isTable and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE)
if _:
retVal = re.sub(r"(?i)\A%s\." % DEFAULT_MSSQL_SCHEMA, "", retVal)
2012-08-15 00:28:42 +04:00
if not re.match(r"\A[A-Za-z0-9_@%s\$]+\Z" % ("." if _ else ""), retVal): # MsSQL is the only DBMS where we automatically prepend schema to table name (dot is normal)
2012-07-17 01:13:21 +04:00
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
retVal = "`%s`" % retVal.strip("`")
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.PGSQL, DBMS.DB2):
retVal = "\"%s\"" % retVal.strip("\"")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL,):
retVal = "[%s]" % retVal.strip("[]")
2012-11-27 13:08:22 +04:00
if _ and DEFAULT_MSSQL_SCHEMA not in retVal and '.' not in re.sub(r"\[[^]]+\]", "", retVal):
2012-07-17 01:13:21 +04:00
retVal = "%s.%s" % (DEFAULT_MSSQL_SCHEMA, retVal)
2011-03-30 01:54:15 +04:00
return retVal
def unsafeSQLIdentificatorNaming(name):
"""
2012-03-14 02:03:23 +04:00
Extracts identificator's name from its safe SQL representation
2011-03-30 01:54:15 +04:00
"""
2011-03-30 01:54:15 +04:00
retVal = name
2011-03-30 01:54:15 +04:00
if isinstance(name, basestring):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
retVal = name.replace("`", "")
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.PGSQL, DBMS.DB2):
2011-03-30 01:54:15 +04:00
retVal = name.replace("\"", "")
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL,):
retVal = name.replace("[", "").replace("]", "")
2011-03-30 01:54:15 +04:00
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
prefix = "%s." % DEFAULT_MSSQL_SCHEMA
if retVal.startswith(prefix):
retVal = retVal[len(prefix):]
2011-03-30 01:54:15 +04:00
return retVal
def isBinaryData(value):
"""
Tests given value for binary content
"""
retVal = False
if isinstance(value, basestring):
2012-02-22 19:53:36 +04:00
retVal = reduce(lambda x, y: x or not (y in string.printable or ord(y) > 255), value, False)
return retVal
def isNoneValue(value):
"""
2012-02-29 18:19:59 +04:00
Returns whether the value is unusable (None or '')
"""
if isinstance(value, basestring):
2012-02-29 17:56:40 +04:00
return value in ("None", "")
2012-06-14 17:38:53 +04:00
elif isListLike(value):
2012-02-29 18:19:59 +04:00
return all(isNoneValue(_) for _ in value)
elif isinstance(value, dict):
return not any(value)
else:
return value is None
2011-06-15 15:58:50 +04:00
2011-10-22 01:12:48 +04:00
def isNullValue(value):
"""
Returns whether the value contains explicit 'NULL' value
"""
2011-10-22 01:29:24 +04:00
2012-02-07 14:46:55 +04:00
return isinstance(value, basestring) and value.upper() == NULL
2011-10-22 01:12:48 +04:00
2011-06-15 15:58:50 +04:00
def expandMnemonics(mnemonics, parser, args):
"""
2012-02-16 18:42:28 +04:00
Expands mnemonic options
2011-06-15 15:58:50 +04:00
"""
class MnemonicNode(object):
2011-06-15 15:58:50 +04:00
def __init__(self):
self.next = {}
self.current = []
head = MnemonicNode()
pointer = None
for group in parser.option_groups:
for option in group.option_list:
for opt in option._long_opts + option._short_opts:
pointer = head
2011-06-15 15:58:50 +04:00
for char in opt:
if char == "-":
continue
elif char not in pointer.next:
pointer.next[char] = MnemonicNode()
2011-06-15 15:58:50 +04:00
pointer = pointer.next[char]
pointer.current.append(option)
for mnemonic in mnemonics.split(','):
found = None
2011-06-15 16:04:30 +04:00
name = mnemonic.split('=')[0].replace("-", "").strip()
2011-06-15 15:58:50 +04:00
value = mnemonic.split('=')[1] if len(mnemonic.split('=')) > 1 else None
pointer = head
2011-06-15 15:58:50 +04:00
for char in name:
if char in pointer.next:
pointer = pointer.next[char]
else:
pointer = None
2011-06-16 16:12:30 +04:00
break
2011-06-15 15:58:50 +04:00
if pointer in (None, head):
errMsg = "mnemonic '%s' can't be resolved to any parameter name" % name
raise SqlmapSyntaxException, errMsg
2011-06-15 15:58:50 +04:00
elif len(pointer.current) > 1:
options = {}
2011-06-15 15:58:50 +04:00
for option in pointer.current:
for opt in option._long_opts + option._short_opts:
opt = opt.strip('-')
if opt.startswith(name):
options[opt] = option
2011-06-15 15:58:50 +04:00
if name in options:
found = name
debugMsg = "mnemonic '%s' resolved to %s). " % (name, found)
logger.debug(debugMsg)
else:
found = sorted(options.keys(), key=lambda x: len(x))[0]
2011-12-21 23:40:42 +04:00
warnMsg = "detected ambiguity (mnemonic '%s' can be resolved to: %s). " % (name, ", ".join("'%s'" % key for key in options.keys()))
warnMsg += "Resolved to shortest of those ('%s')" % found
2011-06-15 15:58:50 +04:00
logger.warn(warnMsg)
2011-06-15 15:58:50 +04:00
found = options[found]
else:
found = pointer.current[0]
debugMsg = "mnemonic '%s' resolved to %s). " % (name, found)
logger.debug(debugMsg)
if found:
2011-12-26 18:08:25 +04:00
try:
value = found.convert_value(found, value)
except OptionValueError:
value = None
2011-06-15 15:58:50 +04:00
if value is not None:
setattr(args, found.dest, value)
2012-02-23 19:32:36 +04:00
elif not found.type: # boolean
2011-06-15 15:58:50 +04:00
setattr(args, found.dest, True)
2011-06-16 16:26:50 +04:00
else:
errMsg = "mnemonic '%s' requires value of type '%s'" % (name, found.type)
raise SqlmapSyntaxException, errMsg
2011-07-03 02:48:56 +04:00
def safeCSValue(value):
"""
2012-02-16 18:42:28 +04:00
Returns value safe for CSV dumping
2011-11-30 21:44:34 +04:00
Reference: http://tools.ietf.org/html/rfc4180
2011-07-03 02:48:56 +04:00
"""
retVal = value
2011-07-13 10:44:15 +04:00
if retVal and isinstance(retVal, basestring):
2011-07-03 02:48:56 +04:00
if not (retVal[0] == retVal[-1] == '"'):
2011-12-22 02:59:23 +04:00
if any(_ in retVal for _ in (conf.csvDel, '"', '\n')):
2011-07-03 02:48:56 +04:00
retVal = '"%s"' % retVal.replace('"', '""')
return retVal
2011-08-09 18:20:25 +04:00
def filterPairValues(values):
2012-02-16 18:42:28 +04:00
"""
Returns only list-like values with length 2
"""
2011-08-09 18:20:25 +04:00
retVal = []
if not isNoneValue(values) and hasattr(values, '__iter__'):
retVal = filter(lambda x: isinstance(x, (tuple, list, set)) and len(x) == 2, values)
return retVal
def randomizeParameterValue(value):
2011-10-22 01:29:24 +04:00
"""
Randomize a parameter value based on occurances of alphanumeric characters
"""
retVal = value
for match in re.finditer('[A-Z]+', value):
retVal = retVal.replace(match.group(), randomStr(len(match.group())).upper())
for match in re.finditer('[a-z]+', value):
retVal = retVal.replace(match.group(), randomStr(len(match.group())).lower())
for match in re.finditer('[0-9]+', value):
retVal = retVal.replace(match.group(), str(randomInt(len(match.group()))))
return retVal
def asciifyUrl(url, forceQuote=False):
"""
Attempts to make a unicode url usuable with ``urllib/urllib2``.
More specifically, it attempts to convert the unicode object ``url``,
which is meant to represent a IRI, to an unicode object that,
containing only ASCII characters, is a valid URI. This involves:
* IDNA/Puny-encoding the domain name.
* UTF8-quoting the path and querystring parts.
See also RFC 3987.
Reference: http://blog.elsdoerfer.name/2008/12/12/opening-iris-in-python/
"""
parts = urlparse.urlsplit(url)
if not parts.scheme or not parts.netloc:
# apparently not an url
return url
2011-12-22 02:09:21 +04:00
if all(char in string.printable for char in url):
return url
# idna-encode domain
2011-12-22 02:09:21 +04:00
hostname = parts.hostname.encode("idna")
# UTF8-quote the other parts. We check each part individually if
# if needs to be quoted - that should catch some additional user
# errors, say for example an umlaut in the username even though
# the path *is* already quoted.
def quote(s, safe):
s = s or ''
# Triggers on non-ascii characters - another option would be:
# urllib.quote(s.replace('%', '')) != s.replace('%', '')
# which would trigger on all %-characters, e.g. "&".
2011-12-22 02:09:21 +04:00
if s.encode("ascii", "replace") != s or forceQuote:
2012-02-23 19:32:36 +04:00
return urllib.quote(s.encode(UNICODE_ENCODING), safe=safe)
return s
username = quote(parts.username, '')
password = quote(parts.password, safe='')
path = quote(parts.path, safe='/')
2011-12-22 02:09:21 +04:00
query = quote(parts.query, safe="&=")
# put everything back together
netloc = hostname
if username or password:
netloc = '@' + netloc
if password:
netloc = ':' + password + netloc
netloc = username + netloc
2012-07-06 19:18:22 +04:00
if parts.port:
netloc += ':' + str(parts.port)
return urlparse.urlunsplit([parts.scheme, netloc, path, query, parts.fragment])
2012-10-25 00:59:46 +04:00
def isAdminFromPrivileges(privileges):
"""
Inspects privileges to see if those are comming from an admin user
"""
# In PostgreSQL the usesuper privilege means that the
# user is DBA
retVal = (Backend.isDbms(DBMS.PGSQL) and "super" in privileges)
# In Oracle the DBA privilege means that the
# user is DBA
retVal |= (Backend.isDbms(DBMS.ORACLE) and "DBA" in privileges)
# In MySQL >= 5.0 the SUPER privilege means
# that the user is DBA
retVal |= (Backend.isDbms(DBMS.MYSQL) and kb.data.has_information_schema and "SUPER" in privileges)
# In MySQL < 5.0 the super_priv privilege means
# that the user is DBA
retVal |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema and "super_priv" in privileges)
# In Firebird there is no specific privilege that means
# that the user is DBA
# TODO: confirm
retVal |= (Backend.isDbms(DBMS.FIREBIRD) and "SELECT" in privileges and "INSERT" in privileges and "UPDATE" in privileges and "DELETE" in privileges and "REFERENCES" in privileges and "EXECUTE" in privileges)
return retVal
def findPageForms(content, url, raise_=False, addToTargets=False):
2012-02-16 18:42:28 +04:00
"""
Parses given page content for possible forms
"""
class _(StringIO):
def __init__(self, content, url):
StringIO.__init__(self, unicodeencode(content, kb.pageEncoding) if isinstance(content, unicode) else content)
self._url = url
def geturl(self):
return self._url
2011-10-29 14:31:52 +04:00
if not content:
errMsg = "can't parse forms as the page content appears to be blank"
2011-10-29 14:31:52 +04:00
if raise_:
raise SqlmapGenericException, errMsg
2011-10-29 14:31:52 +04:00
else:
logger.debug(errMsg)
forms = None
retVal = set()
response = _(content, url)
2012-03-28 17:31:07 +04:00
try:
forms = ParseResponse(response, backwards_compat=False)
except ParseError:
2012-07-06 19:18:22 +04:00
warnMsg = "badly formed HTML at the given url ('%s'). Going to filter it" % url
2011-10-29 14:31:52 +04:00
logger.warning(warnMsg)
response.seek(0)
2012-10-29 17:08:48 +04:00
filtered = _("".join(re.findall(FORM_SEARCH_REGEX, response.read())), response.geturl())
try:
2011-10-29 14:31:52 +04:00
forms = ParseResponse(filtered, backwards_compat=False)
except ParseError:
errMsg = "no success"
if raise_:
raise SqlmapGenericException, errMsg
else:
logger.debug(errMsg)
if forms:
for form in forms:
2012-07-31 00:39:45 +04:00
try:
for control in form.controls:
if hasattr(control, "items"):
# if control has selectable items select first non-disabled
for item in control.items:
if not item.disabled:
if not item.selected:
item.selected = True
break
request = form.click()
except (ValueError, TypeError), ex:
errMsg = "there has been a problem while "
errMsg += "processing page forms ('%s')" % ex
if raise_:
raise SqlmapGenericException, errMsg
2012-07-31 00:39:45 +04:00
else:
logger.debug(errMsg)
else:
url = urldecode(request.get_full_url(), kb.pageEncoding)
method = request.get_method()
data = request.get_data() if request.has_data() else None
data = urldecode(data, kb.pageEncoding) if data and urlencode(DEFAULT_GET_POST_DELIMITER, None) not in data else data
if not data and method and method.upper() == HTTPMETHOD.POST:
debugMsg = "invalid POST form with blank data detected"
logger.debug(debugMsg)
continue
2012-02-16 18:42:28 +04:00
2012-07-31 00:39:45 +04:00
target = (url, method, data, conf.cookie)
retVal.add(target)
else:
errMsg = "there were no forms found at the given target url"
if raise_:
raise SqlmapGenericException, errMsg
else:
logger.debug(errMsg)
if addToTargets and retVal:
for target in retVal:
2012-12-06 14:57:57 +04:00
url = target[0]
# flag to know if we are dealing with the same target host
_ = reduce(lambda x, y: x == y, map(lambda x: urlparse.urlparse(x).netloc.split(':')[0], (response.geturl(), url)))
if conf.scope:
if not re.search(conf.scope, url, re.I):
continue
elif not _:
continue
kb.targets.add(target)
2011-11-11 15:28:27 +04:00
return retVal
def getHostHeader(url):
2012-02-16 18:42:28 +04:00
"""
Returns proper Host header value for a given target URL
"""
2012-07-17 02:19:33 +04:00
retVal = url
2011-11-11 15:28:27 +04:00
2012-07-17 02:19:33 +04:00
if url:
retVal = urlparse.urlparse(url).netloc
if re.search("http(s)?://\[.+\]", url, re.I):
retVal = extractRegexResult("http(s)?://\[(?P<result>.+)\]", url)
elif any(retVal.endswith(':%d' % _) for _ in (80, 443)):
retVal = retVal.split(':')[0]
2011-11-11 15:28:27 +04:00
2011-11-21 20:41:02 +04:00
return retVal
2012-11-28 14:10:57 +04:00
def checkDeprecatedOptions(args):
"""
Checks for deprecated options
"""
for _ in args:
if _ in DEPRECATED_OPTIONS:
errMsg = "switch/option '%s' is deprecated" % _
if _ in DEPRECATED_HINTS:
errMsg += " (hint: %s)" % DEPRECATED_HINTS[_]
raise SqlmapSyntaxException, errMsg
2012-11-28 14:10:57 +04:00
2012-02-16 18:42:28 +04:00
def evaluateCode(code, variables=None):
"""
Executes given python code given in a string form
"""
2011-11-21 20:41:02 +04:00
try:
exec(code, variables)
2012-08-21 16:34:19 +04:00
except KeyboardInterrupt:
raise
2011-11-21 20:41:02 +04:00
except Exception, ex:
errMsg = "an error occured while evaluating provided code ('%s'). " % ex
raise SqlmapGenericException, errMsg
def serializeObject(object_):
2012-02-16 18:42:28 +04:00
"""
Serializes given object
"""
return base64pickle(object_)
def unserializeObject(value):
2012-02-16 18:42:28 +04:00
"""
Unserializes object from given serialized form
"""
2012-07-01 03:19:54 +04:00
return base64unpickle(value) if value else None
2011-12-21 15:50:49 +04:00
2012-02-16 18:42:28 +04:00
def resetCounter(technique):
"""
Resets query counter for a given technique
"""
kb.counters[technique] = 0
def incrementCounter(technique):
"""
Increments query counter for a given technique
"""
kb.counters[technique] = getCounter(technique) + 1
2011-12-21 15:50:49 +04:00
2012-02-16 18:42:28 +04:00
def getCounter(technique):
"""
Returns query counter for a given technique
"""
2012-02-16 18:42:28 +04:00
return kb.counters.get(technique, 0)
def applyFunctionRecursively(value, function):
"""
Applies function recursively through list-like structures
"""
2012-06-14 17:38:53 +04:00
if isListLike(value):
retVal = [applyFunctionRecursively(_, function) for _ in value]
else:
retVal = function(value)
return retVal
def decodeHexValue(value):
"""
Returns value decoded from DBMS specific hexadecimal representation
"""
2012-04-02 16:58:10 +04:00
retVal = value
def _(value):
2012-02-21 17:38:18 +04:00
if value and isinstance(value, basestring) and len(value) % 2 == 0:
2012-12-19 04:30:22 +04:00
value = hexdecode(value)
if Backend.isDbms(DBMS.MSSQL):
2012-02-23 19:19:20 +04:00
try:
value = value.decode("utf-16-le")
except UnicodeDecodeError:
pass
2012-12-19 04:30:22 +04:00
2012-10-23 19:06:31 +04:00
if not isinstance(value, unicode):
value = value.decode("utf8", "replace")
2012-12-19 04:30:22 +04:00
return value
2012-04-02 16:58:10 +04:00
try:
retVal = applyFunctionRecursively(value, _)
except Exception:
singleTimeWarnMessage("there was a problem decoding value '%s' from expected hexadecimal form" % value)
return retVal
def extractExpectedValue(value, expected):
"""
Extracts and returns expected value by a given type
"""
if expected:
value = unArrayizeValue(value)
if isNoneValue(value):
value = None
elif expected == EXPECTED.BOOL:
if isinstance(value, int):
value = bool(value)
elif isinstance(value, basestring):
value = value.strip().lower()
if value in ("true", "false"):
value = value == "true"
elif value in ("1", "-1"):
value = True
elif value == "0":
value = False
else:
value = None
elif expected == EXPECTED.INT:
if isinstance(value, basestring):
2012-07-01 03:19:54 +04:00
value = int(value) if value.isdigit() else None
return value
def hashDBWrite(key, value, serialize=False):
"""
Helper function for writing session data to HashDB
"""
_ = "%s%s%s" % (conf.url or "%s%s" % (conf.hostname, conf.port), key, HASHDB_MILESTONE_VALUE)
2012-02-24 19:03:39 +04:00
conf.hashDB.write(_, value, serialize)
2012-02-24 18:54:10 +04:00
def hashDBRetrieve(key, unserialize=False, checkConf=False):
"""
Helper function for restoring session data from HashDB
"""
_ = "%s%s%s" % (conf.url or "%s%s" % (conf.hostname, conf.port), key, HASHDB_MILESTONE_VALUE)
2012-05-10 18:22:34 +04:00
_ = conf.hashDB.retrieve(_, unserialize) if kb.resumeValues and not (checkConf and any([conf.flushSession, conf.freshQueries])) else None
2012-07-06 17:36:32 +04:00
if not kb.inferenceMode and not kb.fileReadMode and _ and PARTIAL_VALUE_MARKER in _:
2012-05-10 18:22:34 +04:00
_ = None
return _
2012-03-08 14:19:34 +04:00
def resetCookieJar(cookieJar):
2012-07-01 03:19:54 +04:00
"""
Cleans cookies from a given cookie jar
"""
2012-07-24 17:34:50 +04:00
if not conf.loadCookies:
2012-03-08 14:19:34 +04:00
cookieJar.clear()
else:
try:
2012-07-24 17:34:50 +04:00
cookieJar.load(conf.loadCookies)
2012-03-08 14:19:34 +04:00
cookieJar.clear_expired_cookies()
except cookielib.LoadError, msg:
errMsg = "there was a problem loading "
errMsg += "cookies file ('%s')" % msg
raise SqlmapGenericException, errMsg
2012-05-04 02:34:18 +04:00
def prioritySortColumns(columns):
2012-07-01 03:19:54 +04:00
"""
Sorts given column names by length in ascending order while those containing
string 'id' go first
"""
2012-05-04 02:34:18 +04:00
_ = lambda x: x and "id" in x.lower()
return sorted(sorted(columns, key=len), lambda x, y: -1 if _(x) and not _(y) else 1 if not _(x) and _(y) else 0)
def getRequestHeader(request, name):
"""
Solving an issue with an urllib2 Request header case sensitivity
Reference: http://bugs.python.org/issue2275
"""
retVal = None
if request and name:
retVal = max(request.get_header(_) if name.upper() == _.upper() else None for _ in request.headers.keys())
return retVal
2012-10-04 20:01:42 +04:00
def isNumber(value):
"""
Returns True if the given value is a number-like object
"""
try:
float(value)
2012-10-04 20:01:42 +04:00
except:
return False
else:
return True