sqlmap/extra/vulnserver/vulnserver.py

#!/usr/bin/env python

"""
vulnserver.py - Trivial SQLi vulnerable HTTP server (Note: for testing purposes)

Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from __future__ import print_function

import json
import re
import sqlite3
import sys
import threading
import traceback

if sys.version_info >= (3, 0):
    from http.client import FOUND
    from http.client import INTERNAL_SERVER_ERROR
    from http.client import NOT_FOUND
    from http.client import OK
    from http.server import BaseHTTPRequestHandler
    from http.server import HTTPServer
    from socketserver import ThreadingMixIn
    from urllib.parse import parse_qs
    from urllib.parse import unquote_plus
else:
    from BaseHTTPServer import BaseHTTPRequestHandler
    from BaseHTTPServer import HTTPServer
    from httplib import FOUND
    from httplib import INTERNAL_SERVER_ERROR
    from httplib import NOT_FOUND
    from httplib import OK
    from SocketServer import ThreadingMixIn
    from urlparse import parse_qs
    from urllib import unquote_plus

SCHEMA = """
    CREATE TABLE users (
        id INTEGER,
        name TEXT,
        surname TEXT
    );
    INSERT INTO users (id, name, surname) VALUES (1, 'luther', 'blisset');
    INSERT INTO users (id, name, surname) VALUES (2, 'fluffy', 'bunny');
    INSERT INTO users (id, name, surname) VALUES (3, 'wu', '179ad45c6ce2cb97cf1029e212046e81');
    INSERT INTO users (id, name, surname) VALUES (4, 'sqlmap/1.0-dev (http://sqlmap.org)', 'user agent header');
    INSERT INTO users (id, name, surname) VALUES (5, NULL, 'nameisnull');
"""

LISTEN_ADDRESS = "localhost"
LISTEN_PORT = 8440

_conn = None
_cursor = None
_lock = None
_server = None

def init(quiet=False):
    global _conn
    global _cursor
    global _lock

    _conn = sqlite3.connect(":memory:", isolation_level=None, check_same_thread=False)
    _cursor = _conn.cursor()
    _lock = threading.Lock()

    _cursor.executescript(SCHEMA)

    if quiet:
        global print

        def _(*args, **kwargs):
            pass

        print = _

class ThreadingServer(ThreadingMixIn, HTTPServer):
    def finish_request(self, *args, **kwargs):
        try:
            HTTPServer.finish_request(self, *args, **kwargs)
        except Exception:
            traceback.print_exc()

class ReqHandler(BaseHTTPRequestHandler):
    def do_REQUEST(self):
        path, query = self.path.split('?', 1) if '?' in self.path else (self.path, "")
        params = {}

        if query:
            params.update(parse_qs(query))

            if "<script>" in unquote_plus(query):
                self.send_response(INTERNAL_SERVER_ERROR)
                self.send_header("Connection", "close")
                self.end_headers()
                self.wfile.write("CLOUDFLARE_ERROR_500S_BOX".encode("utf8"))
                return

        if hasattr(self, "data"):
            if self.data.startswith('{') and self.data.endswith('}'):
                params.update(json.loads(self.data))
            elif self.data.startswith('<') and self.data.endswith('>'):
                params.update(dict((_[0], _[1].replace("&apos;", "'").replace("&quot;", '"').replace("&lt;", '<').replace("&gt;", '>').replace("&amp;", '&')) for _ in re.findall(r'name="([^"]+)" value="([^"]*)"', self.data)))
            else:
                params.update(parse_qs(self.data))

        for name in self.headers:
            params[name.lower()] = self.headers[name]

        if "cookie" in params:
            for part in params["cookie"].split(';'):
                part = part.strip()
                if '=' in part:
                    name, value = part.split('=', 1)
                    params[name.strip()] = unquote_plus(value.strip())

        for key in params:
            if params[key] and isinstance(params[key], (tuple, list)):
                params[key] = params[key][-1]

        self.url, self.params = path, params

        if self.url == '/':
            if "id" not in params:
                self.send_response(FOUND)
                self.send_header("Connection", "close")
                self.send_header("Location", "/?id=1")
                self.end_headers()
            else:
                self.send_response(OK)
                self.send_header("Content-type", "text/html")
                self.send_header("Connection", "close")
                self.end_headers()

                try:
                    with _lock:
                        _cursor.execute("SELECT * FROM users WHERE id=%s LIMIT 0, 1" % self.params.get("id", ""))
                        results = _cursor.fetchall()

                    output = "<b>SQL results:</b>\n"
                    output += "<table border=\"1\">\n"
                    for row in results:
                        output += "<tr>"
                        for value in row:
                            output += "<td>%s</td>" % value
                        output += "</tr>\n"
                    output += "</table>\n"
                    output += "</body></html>"
                except Exception as ex:
                    output = "%s: %s" % (re.search(r"'([^']+)'", str(type(ex))).group(1), ex)

                self.wfile.write(output.encode("utf8"))
        else:
            self.send_response(NOT_FOUND)
            self.send_header("Connection", "close")
            self.end_headers()

    def do_GET(self):
        self.do_REQUEST()

    def do_PUT(self):
        self.do_REQUEST()

    def do_POST(self):
        length = int(self.headers.get("Content-length", 0))
        if length:
            data = self.rfile.read(length)
            data = unquote_plus(data.decode("utf8"))
            self.data = data
        self.do_REQUEST()

    def log_message(self, format, *args):
        return

def run(address=LISTEN_ADDRESS, port=LISTEN_PORT):
    global _server
    try:
        _server = ThreadingServer((address, port), ReqHandler)
        print("[i] running HTTP server at '%s:%d'" % (address, port))
        _server.serve_forever()
    except KeyboardInterrupt:
        _server.socket.close()
        raise

if __name__ == "__main__":
    try:
        init()
        run(sys.argv[1] if len(sys.argv) > 1 else LISTEN_ADDRESS, int(sys.argv[2] if len(sys.argv) > 2 else LISTEN_PORT))
    except KeyboardInterrupt:
        print("\r[x] Ctrl-C received")
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`#!/usr/bin/env python`

			`"""`
			`vulnserver.py - Trivial SQLi vulnerable HTTP server (Note: for testing purposes)`

			`Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)`
			`See the file 'LICENSE' for copying permission`
			`"""`

			`from __future__ import print_function`

Minor update of vuln-test 2019-10-15 13:29:39 +03:00			`import json`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`import re`
			`import sqlite3`
			`import sys`
Adding support for multi-threading in (testing) vulnserver 2019-04-30 02:08:24 +03:00			`import threading`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`import traceback`

			`if sys.version_info >= (3, 0):`
			`from http.client import FOUND`
Minor update for vuln testing 2019-04-29 12:32:01 +03:00			`from http.client import INTERNAL_SERVER_ERROR`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`from http.client import NOT_FOUND`
			`from http.client import OK`
			`from http.server import BaseHTTPRequestHandler`
			`from http.server import HTTPServer`
			`from socketserver import ThreadingMixIn`
			`from urllib.parse import parse_qs`
			`from urllib.parse import unquote_plus`
			`else:`
			`from BaseHTTPServer import BaseHTTPRequestHandler`
			`from BaseHTTPServer import HTTPServer`
			`from httplib import FOUND`
Minor update for vuln testing 2019-04-29 12:32:01 +03:00			`from httplib import INTERNAL_SERVER_ERROR`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`from httplib import NOT_FOUND`
			`from httplib import OK`
			`from SocketServer import ThreadingMixIn`
			`from urlparse import parse_qs`
			`from urllib import unquote_plus`

			`SCHEMA = """`
			`CREATE TABLE users (`
			`id INTEGER,`
			`name TEXT,`
			`surname TEXT`
			`);`
			`INSERT INTO users (id, name, surname) VALUES (1, 'luther', 'blisset');`
			`INSERT INTO users (id, name, surname) VALUES (2, 'fluffy', 'bunny');`
Minor (testing) update 2019-04-29 12:58:52 +03:00			`INSERT INTO users (id, name, surname) VALUES (3, 'wu', '179ad45c6ce2cb97cf1029e212046e81');`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`INSERT INTO users (id, name, surname) VALUES (4, 'sqlmap/1.0-dev (http://sqlmap.org)', 'user agent header');`
			`INSERT INTO users (id, name, surname) VALUES (5, NULL, 'nameisnull');`
			`"""`

			`LISTEN_ADDRESS = "localhost"`
			`LISTEN_PORT = 8440`

			`_conn = None`
			`_cursor = None`
Adding support for multi-threading in (testing) vulnserver 2019-04-30 02:08:24 +03:00			`_lock = None`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`_server = None`

Implementing additional self-test stuff (--vuln-test) 2019-04-19 14:28:11 +03:00			`def init(quiet=False):`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`global _conn`
			`global _cursor`
Adding support for multi-threading in (testing) vulnserver 2019-04-30 02:08:24 +03:00			`global _lock`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00
			`_conn = sqlite3.connect(":memory:", isolation_level=None, check_same_thread=False)`
			`_cursor = _conn.cursor()`
Adding support for multi-threading in (testing) vulnserver 2019-04-30 02:08:24 +03:00			`_lock = threading.Lock()`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00
			`_cursor.executescript(SCHEMA)`

Implementing additional self-test stuff (--vuln-test) 2019-04-19 14:28:11 +03:00			`if quiet:`
			`global print`

			`def _(args, *kwargs):`
			`pass`

			`print = _`

Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`class ThreadingServer(ThreadingMixIn, HTTPServer):`
			`def finish_request(self, args, *kwargs):`
			`try:`
			`HTTPServer.finish_request(self, args, *kwargs)`
			`except Exception:`
			`traceback.print_exc()`

			`class ReqHandler(BaseHTTPRequestHandler):`
			`def do_REQUEST(self):`
			`path, query = self.path.split('?', 1) if '?' in self.path else (self.path, "")`
			`params = {}`

			`if query:`
			`params.update(parse_qs(query))`

Minor update for vuln testing 2019-04-29 12:32:01 +03:00			`if "<script>" in unquote_plus(query):`
			`self.send_response(INTERNAL_SERVER_ERROR)`
			`self.send_header("Connection", "close")`
			`self.end_headers()`
			`self.wfile.write("CLOUDFLARE_ERROR_500S_BOX".encode("utf8"))`
			`return`

Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`if hasattr(self, "data"):`
Minor update of vuln-test 2019-10-15 13:29:39 +03:00			`if self.data.startswith('{') and self.data.endswith('}'):`
			`params.update(json.loads(self.data))`
Update of vuln tests 2019-11-06 13:52:50 +03:00			`elif self.data.startswith('<') and self.data.endswith('>'):`
Bug fix (payload escaping in XML payloads) 2019-11-14 13:49:30 +03:00			`params.update(dict((_[0], _[1].replace("'", "'").replace(""", '"').replace("<", '<').replace(">", '>').replace("&", '&')) for _ in re.findall(r'name="([^"]+)" value="([^"]*)"', self.data)))`
Minor update of vuln-test 2019-10-15 13:29:39 +03:00			`else:`
			`params.update(parse_qs(self.data))`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00
Update of vuln tests 2019-11-06 14:27:47 +03:00			`for name in self.headers:`
			`params[name.lower()] = self.headers[name]`

Update of vuln tests 2019-11-06 14:54:18 +03:00			`if "cookie" in params:`
			`for part in params["cookie"].split(';'):`
			`part = part.strip()`
			`if '=' in part:`
			`name, value = part.split('=', 1)`
			`params[name.strip()] = unquote_plus(value.strip())`

Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`for key in params:`
Minor update of vuln-test 2019-10-15 13:29:39 +03:00			`if params[key] and isinstance(params[key], (tuple, list)):`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`params[key] = params[key][-1]`

			`self.url, self.params = path, params`

			`if self.url == '/':`
			`if "id" not in params:`
			`self.send_response(FOUND)`
			`self.send_header("Connection", "close")`
			`self.send_header("Location", "/?id=1")`
			`self.end_headers()`
			`else:`
			`self.send_response(OK)`
			`self.send_header("Content-type", "text/html")`
			`self.send_header("Connection", "close")`
			`self.end_headers()`

			`try:`
Adding support for multi-threading in (testing) vulnserver 2019-04-30 02:08:24 +03:00			`with _lock:`
			`_cursor.execute("SELECT * FROM users WHERE id=%s LIMIT 0, 1" % self.params.get("id", ""))`
			`results = _cursor.fetchall()`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00
			`output = "<b>SQL results:</b>\n"`
			`output += "<table border=\"1\">\n"`
Adding support for multi-threading in (testing) vulnserver 2019-04-30 02:08:24 +03:00			`for row in results:`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`output += "<tr>"`
			`for value in row:`
			`output += "<td>%s</td>" % value`
			`output += "</tr>\n"`
			`output += "</table>\n"`
Trivial code style updates 2019-04-19 14:54:48 +03:00			`output += "</body></html>"`
Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`except Exception as ex:`
			`output = "%s: %s" % (re.search(r"'([^']+)'", str(type(ex))).group(1), ex)`

			`self.wfile.write(output.encode("utf8"))`
			`else:`
			`self.send_response(NOT_FOUND)`
			`self.send_header("Connection", "close")`
			`self.end_headers()`

			`def do_GET(self):`
			`self.do_REQUEST()`

Minor update 2019-11-13 13:17:32 +03:00			`def do_PUT(self):`
			`self.do_REQUEST()`

Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`def do_POST(self):`
			`length = int(self.headers.get("Content-length", 0))`
			`if length:`
			`data = self.rfile.read(length)`
			`data = unquote_plus(data.decode("utf8"))`
			`self.data = data`
			`self.do_REQUEST()`

Implementing additional self-test stuff (--vuln-test) 2019-04-19 14:28:11 +03:00			`def log_message(self, format, *args):`
			`return`

Adding SQLi vulnserver (for testing purposes) 2019-03-29 13:04:58 +03:00			`def run(address=LISTEN_ADDRESS, port=LISTEN_PORT):`
			`global _server`
			`try:`
			`_server = ThreadingServer((address, port), ReqHandler)`
			`print("[i] running HTTP server at '%s:%d'" % (address, port))`
			`_server.serve_forever()`
			`except KeyboardInterrupt:`
			`_server.socket.close()`
			`raise`

			`if __name__ == "__main__":`
			`try:`
			`init()`
			`run(sys.argv[1] if len(sys.argv) > 1 else LISTEN_ADDRESS, int(sys.argv[2] if len(sys.argv) > 2 else LISTEN_PORT))`
			`except KeyboardInterrupt:`
			`print("\r[x] Ctrl-C received")`