sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-01-24 00:04:23 +03:00
Code Issues Packages Projects Releases Wiki Activity
97fe5e52c2
sqlmap/lib/controller/checks.py

1262 lines
52 KiB
Python
Raw Normal View History

reverted a previous commit as not all distributions create a link file /usr/bin/python2 to the Python interpreter
2013-02-14 15:32:17 +04:00
#!/usr/bin/env python
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
updated copyright
2014-01-13 21:24:49 +04:00
Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
sorry, cosmetics
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Favoring non-string specific boundaries in case of digit-like parameter values
2012-08-22 15:58:52 +04:00
import copy
minor beautification
2011-12-16 03:33:44 +04:00
import httplib
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.
2008-12-12 22:06:31 +03:00
import re
added test for site existance
2010-05-21 17:36:49 +04:00
import socket
After the storm, a restore..
2008-10-15 19:38:22 +04:00
import time
Implementation for an Issue #293
2012-12-11 15:48:58 +04:00
from subprocess import Popen as execute
Implementation for an Issue #292
2012-12-11 15:02:06 +04:00
from extra.beep.beep import beep
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.agent import agent
update regarding multiple DBMS payloads
2011-02-14 00:20:21 +03:00
from lib.core.common import arrayizeValue
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
from lib.core.common import Backend
minor refactoring
2010-12-06 18:50:19 +03:00
from lib.core.common import extractRegexResult
improving "boolean detection" by automatic recognition of convenient --string candidate
2012-04-11 01:48:34 +04:00
from lib.core.common import extractTextTagContent
code refactoring
2010-12-29 22:39:32 +03:00
from lib.core.common import findDynamicContent
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
from lib.core.common import Format
minor improvement
2012-01-14 00:56:06 +04:00
from lib.core.common import getLastRequestHTTPError
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
from lib.core.common import getPublicTypeMembers
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
from lib.core.common import getSortedInjectionTests
more unicode refactoring
2010-06-02 16:45:40 +04:00
from lib.core.common import getUnicode
update regarding multiple DBMS payloads
2011-02-14 00:20:21 +03:00
from lib.core.common import intersect
added checking of header values for GREP (error); still UNION to do
2011-01-31 15:21:17 +03:00
from lib.core.common import listToStrValue
speed optimization and bug fix (kb.absFilePaths were not stored previously; also, they are now extracted only in heuristic phase)
2011-11-22 12:39:13 +04:00
from lib.core.common import parseFilePaths
some updates
2010-12-04 18:47:02 +03:00
from lib.core.common import popValue
from lib.core.common import pushValue
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import randomInt
from lib.core.common import randomStr
minor update
2010-10-11 15:47:07 +04:00
from lib.core.common import readInput
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
from lib.core.common import showStaticWords
automatically extending ranges for UNION tests in case where at least one other injection technique is usable (boundaries has been established)
2012-04-23 17:41:36 +04:00
from lib.core.common import singleTimeLogMessage
more concise
2011-06-08 18:35:23 +04:00
from lib.core.common import singleTimeWarnMessage
Finalizing implementation for an Issue #290
2013-02-21 17:33:12 +04:00
from lib.core.common import urlencode
Better naming
2013-01-29 23:53:11 +04:00
from lib.core.common import wasLastResponseDBMSError
from lib.core.common import wasLastResponseHTTPError
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
few fixes and minor cosmetics
2011-07-08 10:02:31 +04:00
from lib.core.datatype import AttribDict
from lib.core.datatype import InjectionDict
Finalizing implementation for an Issue #290
2013-02-21 17:33:12 +04:00
from lib.core.decorators import cachedmethod
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
from lib.core.dicts import FROM_DUMMY_TABLE
Minor text update
2013-07-08 14:44:14 +04:00
from lib.core.enums import CUSTOM_LOGGING
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
from lib.core.enums import DBMS
Update for an #161 (preventing further skipping of non-heuristic parameters in ignore casted case)
2012-08-22 13:56:30 +04:00
from lib.core.enums import HEURISTIC_TEST
Update for consistency (all other enums are using _ in between words)
2013-03-20 14:10:24 +04:00
from lib.core.enums import HTTP_HEADER
minor update
2010-11-08 12:49:57 +03:00
from lib.core.enums import HTTPMETHOD
from lib.core.enums import NULLCONNECTION
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
from lib.core.enums import PAYLOAD
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
2010-12-01 20:09:52 +03:00
from lib.core.enums import PLACE
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 17:14:19 +04:00
from lib.core.exception import SqlmapConnectionException
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapSilentQuitException
from lib.core.exception import SqlmapUserQuitException
Update for an Issue #161 (now detecting format error messages too)
2012-08-22 17:51:47 +04:00
from lib.core.settings import FORMAT_EXCEPTION_STRINGS
Minor refactoring/improvement
2012-10-28 03:42:08 +04:00
from lib.core.settings import HEURISTIC_CHECK_ALPHABET
typo fix
2013-01-16 05:31:03 +04:00
from lib.core.settings import SUHOSIN_MAX_VALUE_LENGTH
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
from lib.core.settings import UNKNOWN_DBMS
world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql)
2011-01-21 21:32:10 +03:00
from lib.core.settings import LOWER_RATIO_BOUND
minor optimization
2010-12-29 22:01:29 +03:00
from lib.core.settings import UPPER_RATIO_BOUND
few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation")
2011-07-06 09:44:47 +04:00
from lib.core.settings import IDS_WAF_CHECK_PAYLOAD
slightly faster and thread safer inference
2011-01-16 13:52:42 +03:00
from lib.core.threads import getCurrentThreadData
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.request.connect import Connect as Request
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
from lib.request.inject import checkBooleanExpression
update regarding session page templates
2010-12-07 17:35:31 +03:00
from lib.request.templates import getPageTemplate
Moved folder
2011-06-18 16:34:41 +04:00
from lib.techniques.union.test import unionTest
from lib.techniques.union.use import configUnion
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
def checkSqlInjection(place, parameter, value):
# Store here the details about boundaries and payload used to
# successfully inject
few fixes and minor cosmetics
2011-07-08 10:02:31 +04:00
injection = InjectionDict()
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
minor update regarding last commit
2011-03-17 12:23:46 +03:00
# Localized thread data needed for some methods
threadData = getCurrentThreadData()
minor style update
2012-06-19 12:33:51 +04:00
# Set the flag for SQL injection test mode
code refactoring
2010-12-07 16:34:06 +03:00
kb.testMode = True
some updates
2010-12-04 18:47:02 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
for test in getSortedInjectionTests():
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
try:
(e) finally works as it should
2011-01-01 22:22:44 +03:00
if kb.endDetection:
break
Implementation for an Issue #363
2013-02-01 20:24:04 +04:00
if conf.dbms is None:
if not injection.dbms and PAYLOAD.TECHNIQUE.BOOLEAN in injection.data:
if not Backend.getIdentifiedDbms() and not kb.heuristicDbms:
kb.heuristicDbms = heuristicCheckDbms(injection) or UNKNOWN_DBMS
if not conf.testFilter and (Backend.getErrorParsedDBMSes() or kb.heuristicDbms) not in ([], None, UNKNOWN_DBMS):
if kb.reduceTests is None and Backend.getErrorParsedDBMSes():
msg = "heuristic (parsing) test showed that the "
msg += "back-end DBMS could be '%s'. " % (Format.getErrorParsedDBMSes() if Backend.getErrorParsedDBMSes() else kb.heuristicDbms)
msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
kb.reduceTests = [] if readInput(msg, default='Y').upper() != 'Y' else (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms])
if kb.extendTests is None:
_ = (Format.getErrorParsedDBMSes() if Backend.getErrorParsedDBMSes() else kb.heuristicDbms)
msg = "do you want to include all tests for '%s' " % _
Minor text update
2013-03-26 17:08:35 +04:00
msg += "extending provided level (%d) and risk (%s)? [Y/n]" % (conf.level, conf.risk)
Implementation for an Issue #363
2013-02-01 20:24:04 +04:00
kb.extendTests = [] if readInput(msg, default='Y').upper() != 'Y' else (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms])
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
title = test.title
stype = test.stype
clause = test.clause
minor beauty patch
2012-05-07 17:51:31 +04:00
unionExtended = False
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches
2011-05-10 19:34:54 +04:00
if stype == PAYLOAD.TECHNIQUE.UNION:
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
configUnion(test.request.char)
Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches
2011-05-10 19:34:54 +04:00
if "[CHAR]" in title:
if conf.uChar is None:
continue
else:
title = title.replace("[CHAR]", conf.uChar)
elif "[RANDNUM]" in title or "(NULL)" in title:
title = title.replace("[RANDNUM]", "random number")
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
if test.request.columns == "[COLSTART]-[COLSTOP]":
if conf.uCols is None:
continue
else:
title = title.replace("[COLSTART]", str(conf.uColsStart))
title = title.replace("[COLSTOP]", str(conf.uColsStop))
unfix
2011-05-11 01:33:06 +04:00
Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches
2011-05-10 19:34:54 +04:00
elif conf.uCols is not None:
debugMsg = "skipping test '%s' because the user " % title
debugMsg += "provided custom column range %s" % conf.uCols
logger.debug(debugMsg)
continue
Accept [RANDNUM] as <char> in payloads.xml and handle it accordingly
2011-04-07 15:10:35 +04:00
automatically extending ranges for UNION tests in case where at least one other injection technique is usable (boundaries has been established)
2012-04-23 17:41:36 +04:00
match = re.search(r"(\d+)-(\d+)", test.request.columns)
if injection.data and match:
lower, upper = int(match.group(1)), int(match.group(2))
for _ in (lower, upper):
if _ > 1:
minor beauty patch
2012-05-07 17:51:31 +04:00
unionExtended = True
automatically extending ranges for UNION tests in case where at least one other injection technique is usable (boundaries has been established)
2012-04-23 17:41:36 +04:00
test.request.columns = re.sub(r"\b%d\b" % _, str(2 * _), test.request.columns)
title = re.sub(r"\b%d\b" % _, str(2 * _), title)
test.title = re.sub(r"\b%d\b" % _, str(2 * _), test.title)
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# Skip test if the user's wants to test only for a specific
# technique
closes #219 - unhidden switch --technique and adapted code accordingly (renamed conf.technique to conf.tech to fit properly in the -h help message)
2011-04-06 18:41:44 +04:00
if conf.tech and isinstance(conf.tech, list) and stype not in conf.tech:
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
debugMsg = "skipping test '%s' because the user " % title
debugMsg += "specified to test only for "
cosmetics
2011-05-03 01:48:08 +04:00
debugMsg += "%s techniques" % " & ".join(map(lambda x: PAYLOAD.SQLINJECTION[x], conf.tech))
Consider also --dbms value during the detection phase
2010-11-29 17:48:07 +03:00
logger.debug(debugMsg)
continue
Better sort
2011-02-02 01:04:48 +03:00
# Skip test if it is the same SQL injection type already
# identified by another test
if injection.data and stype in injection.data:
debugMsg = "skipping test '%s' because " % title
debugMsg += "the payload for %s has " % PAYLOAD.SQLINJECTION[stype]
debugMsg += "already been identified"
logger.debug(debugMsg)
continue
Implementation for an Issue #363
2013-02-01 20:24:04 +04:00
# Skip DBMS-specific test if it does not match either the
# previously identified or the user's provided DBMS (either
# from program switch or from parsed error message(s))
if "details" in test and "dbms" in test.details:
dbms = test.details.dbms
else:
dbms = None
adding a new (for now) hidden switch --test-filter for filtering tests by their name
2011-09-27 18:09:25 +04:00
# Skip tests if title is not included by the given filter
Update for Issue #118
2012-07-24 17:43:29 +04:00
if conf.testFilter:
Minor update
2013-10-27 02:24:57 +04:00
if not any(conf.testFilter in str(item) or re.search(conf.testFilter, str(item), re.I) for item in (test.title, test.vector, dbms)):
minor update
2011-09-27 18:31:58 +04:00
debugMsg = "skipping test '%s' because " % title
grammar fix
2012-03-14 02:03:23 +04:00
debugMsg += "its name/vector/dbms is not included by the given filter"
minor update
2011-09-27 18:31:58 +04:00
logger.debug(debugMsg)
continue
Implementation for an Issue #363
2013-02-01 20:24:04 +04:00
Minor fix
2013-02-05 13:58:02 +04:00
elif not (kb.extendTests and intersect(dbms, kb.extendTests)):
minor update
2011-09-27 18:31:58 +04:00
# Skip test if the risk is higher than the provided (or default)
# value
# Parse test's <risk>
if test.risk > conf.risk:
debugMsg = "skipping test '%s' because the risk (%d) " % (title, test.risk)
debugMsg += "is higher than the provided (%d)" % conf.risk
logger.debug(debugMsg)
continue
# Skip test if the level is higher than the provided (or default)
# value
# Parse test's <level>
if test.level > conf.level:
debugMsg = "skipping test '%s' because the level (%d) " % (title, test.level)
debugMsg += "is higher than the provided (%d)" % conf.level
logger.debug(debugMsg)
continue
adding a new (for now) hidden switch --test-filter for filtering tests by their name
2011-09-27 18:09:25 +04:00
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
if dbms is not None:
update regarding multiple DBMS payloads
2011-02-14 00:20:21 +03:00
if injection.dbms is not None and not intersect(injection.dbms, dbms):
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
debugMsg = "skipping test '%s' because " % title
debugMsg += "the back-end DBMS identified is "
debugMsg += "%s" % injection.dbms
logger.debug(debugMsg)
continue
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
Bug fix
2013-10-07 14:54:19 +04:00
if conf.dbms is not None and not intersect(conf.dbms.lower(), [_.lower() for _ in arrayizeValue(dbms)]):
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
debugMsg = "skipping test '%s' because " % title
debugMsg += "the provided DBMS is %s" % conf.dbms
logger.debug(debugMsg)
continue
Implementation for an Issue #363
2013-02-01 20:24:04 +04:00
if kb.reduceTests and not intersect(dbms, kb.reduceTests):
user can now choose if he wants to skip non-heuristic based DBMS tests
2011-01-02 02:38:11 +03:00
debugMsg = "skipping test '%s' because " % title
minor cosmetics
2011-01-02 10:09:04 +03:00
debugMsg += "the parsed error message(s) showed "
debugMsg += "that the back-end DBMS could be "
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
debugMsg += "%s" % Format.getErrorParsedDBMSes()
user can now choose if he wants to skip non-heuristic based DBMS tests
2011-01-02 02:38:11 +03:00
logger.debug(debugMsg)
continue
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# Skip test if it does not match the same SQL injection clause
# already identified by another test
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
clauseMatch = False
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
for clauseTest in clause:
if injection.clause is not None and clauseTest in injection.clause:
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
clauseMatch = True
break
minor code restyling
2012-02-22 19:53:36 +04:00
if clause != [0] and injection.clause and injection.clause != [0] and not clauseMatch:
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
debugMsg = "skipping test '%s' because the clauses " % title
debugMsg += "differs from the clause already identified"
logger.debug(debugMsg)
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
continue
Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches
2011-05-10 19:34:54 +04:00
# Skip test if the user provided custom character
if conf.uChar is not None and ("random number" in title or "(NULL)" in title):
debugMsg = "skipping test '%s' because the user " % title
debugMsg += "provided a specific character, %s" % conf.uChar
Another layout adjustment
2011-01-30 19:23:19 +03:00
logger.debug(debugMsg)
continue
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
infoMsg = "testing '%s'" % title
logger.info(infoMsg)
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
More adjustments related to unescape() and cleanupPayload(). Minor code cleanup related to error-based payload.
2011-02-07 02:27:56 +03:00
# Force back-end DBMS according to the current
# test value for proper payload unescaping
update regarding multiple DBMS payloads
2011-02-14 00:20:21 +03:00
Backend.forceDbms(dbms[0] if isinstance(dbms, list) else dbms)
More adjustments related to unescape() and cleanupPayload(). Minor code cleanup related to error-based payload.
2011-02-07 02:27:56 +03:00
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# Parse test's <request>
fix for a bug reported by Ahmed Shawky (when user uses --suffix intermixing test default comments with the provided suffix is a big no no)
2011-08-02 22:20:21 +04:00
comment = agent.getComment(test.request) if len(conf.boundaries) > 1 else None
Bug fix for PAYLOAD.WHERE.REPLACE payloads containing custom injection marker ([ORIGVALUE] was screwed)
2014-02-26 14:41:48 +04:00
fstPayload = agent.cleanupPayload(test.request.payload, origValue=value if place not in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER) else None)
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
Favoring non-string specific boundaries in case of digit-like parameter values
2012-08-22 15:58:52 +04:00
# Favoring non-string specific boundaries in case of digit-like parameter values
if value.isdigit():
boundaries = sorted(copy.deepcopy(conf.boundaries), key=lambda x: any(_ in (x.prefix or "") or _ in (x.suffix or "") for _ in ('"', '\'')))
else:
boundaries = conf.boundaries
for boundary in boundaries:
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
injectable = False
# Skip boundary if the level is higher than the provided (or
# default) value
# Parse boundary's <level>
if boundary.level > conf.level:
continue
# Skip boundary if it does not match against test's <clause>
# Parse test's <clause> and boundary's <clause>
clauseMatch = False
for clauseTest in test.clause:
if clauseTest in boundary.clause:
clauseMatch = True
break
minor code restyling
2012-02-22 19:53:36 +04:00
if test.clause != [0] and boundary.clause != [0] and not clauseMatch:
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
continue
# Skip boundary if it does not match against test's <where>
# Parse test's <where> and boundary's <where>
whereMatch = False
for where in test.where:
if where in boundary.where:
whereMatch = True
break
if not whereMatch:
continue
# Parse boundary's <prefix>, <suffix> and <ptype>
prefix = boundary.prefix if boundary.prefix else ""
suffix = boundary.suffix if boundary.suffix else ""
Implementation for an Issue #194
2012-09-25 11:25:35 +04:00
# Options --prefix/--suffix have a higher priority (if set by user)
prefix = conf.prefix if conf.prefix is not None else prefix
suffix = conf.suffix if conf.suffix is not None else suffix
comment = None if conf.suffix is not None else comment
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
ptype = boundary.ptype
# If the previous injections succeeded, we know which prefix,
# suffix and parameter type to use for further tests, no
# need to cycle through the boundaries for the following tests
condBound = (injection.prefix is not None and injection.suffix is not None)
condBound &= (injection.prefix != prefix or injection.suffix != suffix)
condType = injection.ptype is not None and injection.ptype != ptype
if condBound or condType:
continue
# For each test's <where>
for where in test.where:
templatePayload = None
Ahead with UNION exploitation after UNION test moved to detection phase - a lot to do yet.
2011-01-12 03:47:39 +03:00
vector = None
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# Threat the parameter original value according to the
# test's <where> tag
Patch for an Issue #564
2013-12-27 14:02:59 +04:00
if where == PAYLOAD.WHERE.ORIGINAL or conf.prefix:
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
origValue = value
Patch for an Issue #611 (original page used in case of tamper functions was wrong - e.g. if --tamper=base64encode was used)
2014-02-25 16:48:34 +04:00
if kb.tamperFunctions:
templatePayload = agent.payload(place, parameter, value="", newValue=origValue, where=where)
adding WHERE enum for payloads
2011-02-02 16:34:09 +03:00
elif where == PAYLOAD.WHERE.NEGATIVE:
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
# Use different page template than the original
# one as we are changing parameters value, which
# will likely result in a different content
Making 10% less requests in futile higher level/risk runs (using static template payloads for where==NEGATIVE)
2013-07-15 18:24:49 +04:00
kb.data.setdefault("randomInt", str(randomInt(10)))
Adding a switch --invalid-string
2014-01-24 00:56:06 +04:00
kb.data.setdefault("randomStr", str(randomStr(10)))
adding --invalid-bignum (Havij like bignum style for invalidating/negating values); renaming --logical-negate to --invalid-logical
2012-04-26 00:29:07 +04:00
if conf.invalidLogical:
Making 10% less requests in futile higher level/risk runs (using static template payloads for where==NEGATIVE)
2013-07-15 18:24:49 +04:00
_ = int(kb.data.randomInt[:2])
Trivial commit related to the last one
2013-03-01 15:09:03 +04:00
origValue = "%s AND %s=%s" % (value, _, _ + 1)
adding --invalid-bignum (Havij like bignum style for invalidating/negating values); renaming --logical-negate to --invalid-logical
2012-04-26 00:29:07 +04:00
elif conf.invalidBignum:
Changing --invalid-bignum from float producing to int producing
2014-01-23 12:07:25 +04:00
origValue = kb.data.randomInt[:6]
Adding a switch --invalid-string
2014-01-24 00:56:06 +04:00
elif conf.invalidString:
origValue = kb.data.randomStr[:6]
adding --invalid-bignum (Havij like bignum style for invalidating/negating values); renaming --logical-negate to --invalid-logical
2012-04-26 00:29:07 +04:00
else:
Making 10% less requests in futile higher level/risk runs (using static template payloads for where==NEGATIVE)
2013-07-15 18:24:49 +04:00
origValue = "-%s" % kb.data.randomInt[:4]
Minor fix (templatePayload had duplicate string patterns for where==NEGATIVE)
2013-07-15 15:54:02 +04:00
templatePayload = agent.payload(place, parameter, value="", newValue=origValue, where=where)
adding WHERE enum for payloads
2011-02-02 16:34:09 +03:00
elif where == PAYLOAD.WHERE.REPLACE:
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
origValue = ""
fix for one of those more complex bugs (comparison was returning None while original page and/or page template were already had already DBMS error inside)
2010-12-24 15:13:48 +03:00
kb.pageTemplate, kb.errorIsNone = getPageTemplate(templatePayload, place)
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# Forge request payload by prepending with boundary's
# prefix and appending the boundary's suffix to the
# test's ' <payload><comment> ' string
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause)
Minor bug fix to properly deal --prefix and --suffix and parameter replace payloads
2011-01-24 15:25:45 +03:00
boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# Perform the test's request and check whether or not the
# payload was successful
# Parse test's <response>
for method, check in test.response.items():
Bug fix for PAYLOAD.WHERE.REPLACE payloads containing custom injection marker ([ORIGVALUE] was screwed)
2014-02-26 14:41:48 +04:00
check = agent.cleanupPayload(check, origValue=value if place not in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER) else None)
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# In case of boolean-based blind SQL injection
if method == PAYLOAD.METHOD.COMPARISON:
fix (lol. we were using same comparison payload through the all test. it's a nono :) p.s. this way we are dealing with "reflective" problem too
2011-02-08 00:53:05 +03:00
# Generate payload used for comparison
def genCmpPayload():
Bug fix for PAYLOAD.WHERE.REPLACE payloads containing custom injection marker ([ORIGVALUE] was screwed)
2014-02-26 14:41:48 +04:00
sndPayload = agent.cleanupPayload(test.response.comparison, origValue=value if place not in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER) else None)
fix (lol. we were using same comparison payload through the all test. it's a nono :) p.s. this way we are dealing with "reflective" problem too
2011-02-08 00:53:05 +03:00
# Forge response payload by prepending with
# boundary's prefix and appending the boundary's
# suffix to the test's ' <payload><comment> '
# string
boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause)
boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
Minor code cleanup
2011-02-08 03:02:54 +03:00
fix (lol. we were using same comparison payload through the all test. it's a nono :) p.s. this way we are dealing with "reflective" problem too
2011-02-08 00:53:05 +03:00
return cmpPayload
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# Useful to set kb.matchRatio at first based on
# the False response content
kb.matchRatio = None
improvement toward proper implementation of OR-based injection by usage of "negative logic" mechanism
2012-03-29 18:33:27 +04:00
kb.negativeLogic = (where == PAYLOAD.WHERE.NEGATIVE)
minor code restyling
2012-02-22 19:53:36 +04:00
Request.queryPage(genCmpPayload(), place, raise404=False)
Revert of previous commit (more care has to be done regarding headers dynamicity)
2013-01-18 19:49:35 +04:00
falsePage = threadData.lastComparisonPage or ""
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# Perform the test's True request
minor fix (in testing phase raise404 should be set to False)
2010-12-24 15:36:00 +03:00
trueResult = Request.queryPage(reqPayload, place, raise404=False)
Revert of previous commit (more care has to be done regarding headers dynamicity)
2013-01-18 19:49:35 +04:00
truePage = threadData.lastComparisonPage or ""
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
if trueResult:
fix (lol. we were using same comparison payload through the all test. it's a nono :) p.s. this way we are dealing with "reflective" problem too
2011-02-08 00:53:05 +03:00
falseResult = Request.queryPage(genCmpPayload(), place, raise404=False)
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# Perform the test's False request
if not falseResult:
Changing 'is injectable' to 'seems to be injectable' for boolean and time-based blind injection cases - for false positive cases
2014-02-09 20:50:16 +04:00
infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (place, parameter, title)
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
logger.info(infoMsg)
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
injectable = True
minor cosmetics
2012-04-11 01:57:00 +04:00
Implementation for an Issue #70
2012-07-26 14:06:02 +04:00
if not injectable and not any((conf.string, conf.notString, conf.regexp)) and kb.pageStable:
Revert of previous commit (more care has to be done regarding headers dynamicity)
2013-01-18 19:49:35 +04:00
trueSet = set(extractTextTagContent(truePage))
falseSet = set(extractTextTagContent(falsePage))
Better fix for that page/headers/comparison --string candidate problem
2013-01-18 20:00:11 +04:00
candidates = filter(None, (_.strip() if _.strip() in (kb.pageTemplate or "") and _.strip() not in falsePage and _.strip() not in threadData.lastComparisonHeaders else None for _ in (trueSet - falseSet)))
making a random choice from candidates
2012-04-13 14:54:30 +04:00
if candidates:
Fix for an Issue where '--string' is being automatically picked not looking properly in headers too
2013-01-18 19:35:09 +04:00
conf.string = candidates[0]
Making those --string tips (containing escaped characters) decodable by sqlmap
2012-07-31 13:32:53 +04:00
infoMsg = "%s parameter '%s' seems to be '%s' injectable (with --string=\"%s\")" % (place, parameter, title, repr(conf.string).lstrip('u').strip("'"))
improving "boolean detection" by automatic recognition of convenient --string candidate
2012-04-11 01:48:34 +04:00
logger.info(infoMsg)
minor cosmetics
2012-04-11 01:57:00 +04:00
improving "boolean detection" by automatic recognition of convenient --string candidate
2012-04-11 01:48:34 +04:00
injectable = True
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
# In case of error-based SQL injection
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
elif method == PAYLOAD.METHOD.GREP:
# Perform the test's request and grep the response
# body for the test's <grep> regular expression
improvement of error-based testing (no more sqlmap aborting on error-based payloads which happens very often on MySQL servers); also, minor improvement on brute forcing of column names
2011-03-30 22:32:10 +04:00
try:
page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False)
output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, listToStrValue(headers.headers \
if headers else None), re.DOTALL | re.IGNORECASE) \
or extractRegexResult(check, threadData.lastRedirectMsg[1] \
if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \
threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
if output:
result = output == "1"
if result:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 17:14:19 +04:00
except SqlmapConnectionException, msg:
Minor fix
2013-07-31 11:22:45 +04:00
debugMsg = "problem occurred most likely because the "
improvement of error-based testing (no more sqlmap aborting on error-based payloads which happens very often on MySQL servers); also, minor improvement on brute forcing of column names
2011-03-30 22:32:10 +04:00
debugMsg += "server hasn't recovered as expected from the "
debugMsg += "error-based payload used ('%s')" % msg
logger.debug(debugMsg)
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# In case of time-based blind or stacked queries
# SQL injections
elif method == PAYLOAD.METHOD.TIME:
# Perform the test's request
minor fix (in testing phase raise404 should be set to False)
2010-12-24 15:36:00 +03:00
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
if trueResult:
# Confirm test's results
minor fix (in testing phase raise404 should be set to False)
2010-12-24 15:36:00 +03:00
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
if trueResult:
Changing 'is injectable' to 'seems to be injectable' for boolean and time-based blind injection cases - for false positive cases
2014-02-09 20:50:16 +04:00
infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (place, parameter, title)
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
logger.info(infoMsg)
injectable = True
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
# In case of UNION query SQL injection
elif method == PAYLOAD.METHOD.UNION:
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase.
2011-01-12 15:01:32 +03:00
# Test for UNION injection and set the sample
# payload as well as the vector.
# NOTE: vector is set to a tuple with 6 elements,
Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)
2012-10-28 02:36:09 +04:00
# used afterwards by Agent.forgeUnionQuery()
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase.
2011-01-12 15:01:32 +03:00
# method to forge the UNION query payload
bug fix and proper warning message
2011-01-15 19:59:53 +03:00
Proper support for --union-cols
2011-01-18 01:57:33 +03:00
configUnion(test.request.char, test.request.columns)
some more refactoring
2011-04-20 03:04:10 +04:00
if not Backend.getIdentifiedDbms():
Bug fix (causing search problems)
2013-02-01 14:24:17 +04:00
if kb.heuristicDbms in (None, UNKNOWN_DBMS):
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
warnMsg = "using unescaped version of the test "
warnMsg += "because of zero knowledge of the "
warnMsg += "back-end DBMS. You can try to "
warnMsg += "explicitly set it using option '--dbms'"
singleTimeWarnMessage(warnMsg)
else:
Backend.forceDbms(kb.heuristicDbms)
restraining "using unescaped version of the test because of zero knowledge of the back-end DBMS" once per test (before was once per boundary)
2011-02-08 00:18:01 +03:00
minor beauty patch
2012-05-07 17:51:31 +04:00
if unionExtended:
infoMsg = "automatically extending ranges "
infoMsg += "for UNION query injection technique tests as "
Minor language update
2013-08-22 13:11:30 +04:00
infoMsg += "there is at least one other (potential) "
infoMsg += "technique found"
minor beauty patch
2012-05-07 17:51:31 +04:00
singleTimeLogMessage(infoMsg)
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
# Test for UNION query SQL injection
Major bug fix. Minor code refactoring.
2011-01-16 04:17:09 +03:00
reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix)
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
if isinstance(reqPayload, basestring):
infoMsg = "%s parameter '%s' is '%s' injectable" % (place, parameter, title)
logger.info(infoMsg)
injectable = True
More refactoring and cleanup
2011-01-16 03:15:30 +03:00
# Overwrite 'where' because it can be set
# by unionTest() directly
Important bug fix. Minor code restyling.
2011-01-13 12:41:55 +03:00
where = vector[6]
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase.
2011-01-12 15:01:32 +03:00
important update - finally found what was causing headache for UNION payloads in noticeable number of cases
2011-05-27 01:54:19 +04:00
kb.previousMethod = method
Minor patch (for ORDER BY 'col' cases)
2013-10-11 01:08:20 +04:00
if conf.dummy:
injectable = False
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# If the injection test was successful feed the injection
# object with the test's details
if injectable is True:
# Feed with the boundaries details only the first time a
# test has been successful
if injection.place is None or injection.parameter is None:
Minor preparation for an Issue #48
2012-07-26 14:26:57 +04:00
if place in (PLACE.USER_AGENT, PLACE.REFERER, PLACE.HOST):
quick fix for UA and Referer
2011-02-12 02:36:23 +03:00
injection.parameter = place
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
else:
injection.parameter = parameter
injection.place = place
injection.ptype = ptype
injection.prefix = prefix
injection.suffix = suffix
injection.clause = clause
Minor reordering of what gets saved into the injection object
2011-02-06 18:20:44 +03:00
# Feed with test details every time a test is successful
if hasattr(test, "details"):
for dKey, dValue in test.details.items():
bug fix (until this moment we had UNION unfunctional for MSSQL)
2011-06-02 02:47:54 +04:00
if dKey == "dbms":
Dealing with rare cases when getIdentifiedDbms is needed prior to DBMS isfingerprinted and there are multiples of dbmses inside details
2012-10-28 03:11:50 +04:00
injection.dbms = dValue
bug fix (until this moment we had UNION unfunctional for MSSQL)
2011-06-02 02:47:54 +04:00
if not isinstance(dValue, list):
Dealing with rare cases when getIdentifiedDbms is needed prior to DBMS isfingerprinted and there are multiples of dbmses inside details
2012-10-28 03:11:50 +04:00
Backend.setDbms(dValue)
bug fix (until this moment we had UNION unfunctional for MSSQL)
2011-06-02 02:47:54 +04:00
else:
proper fix related to the last commit
2011-06-02 03:00:18 +04:00
Backend.forceDbms(dValue[0], True)
Update for Issue #118
2012-07-24 17:43:29 +04:00
elif dKey == "dbms_version" and injection.dbms_version is None and not conf.testFilter:
Minor reordering of what gets saved into the injection object
2011-02-06 18:20:44 +03:00
injection.dbms_version = Backend.setVersion(dValue)
elif dKey == "os" and injection.os is None:
injection.os = Backend.setOs(dValue)
Ahead with UNION exploitation after UNION test moved to detection phase - a lot to do yet.
2011-01-12 03:47:39 +03:00
if vector is None and "vector" in test and test.vector is not None:
Cleaning/refactoring of bunch of stacked/suffix/comment stuff (e.g.
2012-09-26 13:27:43 +04:00
vector = test.vector
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
few fixes and minor cosmetics
2011-07-08 10:02:31 +04:00
injection.data[stype] = AttribDict()
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
injection.data[stype].title = title
centralization of urlencoding should be (only) in connect.py and we are from now on handling non-urlencoded data at other levels
2011-01-27 22:44:24 +03:00
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload)
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
injection.data[stype].where = where
Ahead with UNION exploitation after UNION test moved to detection phase - a lot to do yet.
2011-01-12 03:47:39 +03:00
injection.data[stype].vector = vector
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
injection.data[stype].comment = comment
injection.data[stype].templatePayload = templatePayload
minor code refactoring
2011-01-14 17:55:59 +03:00
injection.data[stype].matchRatio = kb.matchRatio
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
minor code refactoring
2011-01-14 17:55:59 +03:00
injection.conf.textOnly = conf.textOnly
minor update
2011-06-11 12:33:36 +04:00
injection.conf.titles = conf.titles
More code cleanup
2011-01-16 02:11:36 +03:00
injection.conf.string = conf.string
Implementation for an Issue #70
2012-07-26 14:06:02 +04:00
injection.conf.notString = conf.notString
More code cleanup
2011-01-16 02:11:36 +03:00
injection.conf.regexp = conf.regexp
Partial fix for -o not resumed at following runs if missing from command line
2011-07-25 15:05:49 +04:00
injection.conf.optimize = conf.optimize
refactoring, code clearing and removal of obsolete switch --longest-common
2011-01-14 17:37:03 +03:00
Minor update for Issues #292 & #293 (only single alert per target)
2012-12-11 17:44:43 +04:00
if not kb.alerted:
if conf.beep:
beep()
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
Minor update for Issues #292 & #293 (only single alert per target)
2012-12-11 17:44:43 +04:00
if conf.alert:
infoMsg = "executing alerting shell command(s) ('%s')" % conf.alert
logger.info(infoMsg)
process = execute(conf.alert, shell=True)
process.wait()
Implementation for an Issue #293
2012-12-11 15:48:58 +04:00
Minor update for Issues #292 & #293 (only single alert per target)
2012-12-11 17:44:43 +04:00
kb.alerted = True
Implementation for an Issue #293
2012-12-11 15:48:58 +04:00
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
# There is no need to perform this test for other
# <where> tags
break
if injectable is True:
Implementation for an #162
2012-08-22 18:50:01 +04:00
kb.vulnHosts.add(conf.hostname)
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2010-12-01 01:40:25 +03:00
break
After the storm, a restore..
2008-10-15 19:38:22 +04:00
one more update regarding last few "unescape" related commits
2011-02-06 23:23:23 +03:00
# Reset forced back-end DBMS value
Backend.flushForcedDbms()
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
except KeyboardInterrupt:
cosmeticados ;)
2011-04-08 14:39:07 +04:00
warnMsg = "user aborted during detection phase"
added Ctrl+C check in detection phase
2010-12-18 13:42:09 +03:00
logger.warn(warnMsg)
Adding change verbosity level in testing phase when Ctrl+C pressed
2013-10-17 18:54:53 +04:00
msg = "how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit]"
Implementation for an Issue #363
2013-02-01 20:24:04 +04:00
choice = readInput(msg, default="S", checkBatch=False)
minor update (that default quit in --batch was bothering me - my original idea and it was bad :)
2011-06-27 18:14:49 +04:00
if choice[0] in ("s", "S"):
pass
Adding change verbosity level in testing phase when Ctrl+C pressed
2013-10-17 18:54:53 +04:00
elif choice[0] in ("c", "C"):
choice = None
while not ((choice or "").isdigit() and 0 <= int(choice) <= 6):
if choice:
logger.warn("invalid value")
msg = "enter new verbosity level: [0-6] "
choice = readInput(msg, default=str(conf.verbose), checkBatch=False).strip()
conf.verbose = int(choice)
setVerbosity()
minor update (that default quit in --batch was bothering me - my original idea and it was bad :)
2011-06-27 18:14:49 +04:00
elif choice[0] in ("n", "N"):
return None
elif choice[0] in ("e", "E"):
change by request
2011-06-08 18:44:11 +04:00
kb.endDetection = True
minor update (that default quit in --batch was bothering me - my original idea and it was bad :)
2011-06-27 18:14:49 +04:00
elif choice[0] in ("q", "Q"):
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 17:14:19 +04:00
raise SqlmapUserQuitException
some updates
2010-12-04 18:47:02 +03:00
one more update regarding last few "unescape" related commits
2011-02-06 23:23:23 +03:00
finally:
# Reset forced back-end DBMS value
Backend.flushForcedDbms()
proper fix related to the last commit
2011-06-02 03:00:18 +04:00
Backend.flushForcedDbms(True)
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2010-12-01 01:40:25 +03:00
# Return the injection object
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
if injection.place is not None and injection.parameter is not None:
more info to the user
2011-06-03 19:43:50 +04:00
if not conf.dropSetCookie and PAYLOAD.TECHNIQUE.BOOLEAN in injection.data and injection.data[PAYLOAD.TECHNIQUE.BOOLEAN].vector.startswith('OR'):
Cosmetics and a missing param
2011-06-08 18:40:42 +04:00
warnMsg = "in OR boolean-based injections, please consider usage "
some estetic updates
2012-02-01 18:49:42 +04:00
warnMsg += "of switch '--drop-set-cookie' if you experience any "
more info to the user
2011-06-03 19:43:50 +04:00
warnMsg += "problems during data retrieval"
logger.warn(warnMsg)
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
injection = checkFalsePositives(injection)
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
else:
Implementation for an Issue #222
2012-10-25 15:21:32 +04:00
injection = None
if injection:
typo fix
2013-01-16 05:31:03 +04:00
checkSuhosinPatch(injection)
Implementation for an Issue #222
2012-10-25 15:21:32 +04:00
return injection
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
def heuristicCheckDbms(injection):
retVal = None
Bug fix (causing search problems)
2013-02-01 14:24:17 +04:00
pushValue(kb.injection)
kb.injection = injection
randStr1, randStr2 = randomStr(), randomStr()
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
Bug fix (causing search problems)
2013-02-01 14:24:17 +04:00
for dbms in getPublicTypeMembers(DBMS, True):
Backend.forceDbms(dbms)
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
Bug fix (causing search problems)
2013-02-01 14:24:17 +04:00
if checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr1)):
if not checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr2)):
retVal = dbms
break
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
Bug fix (causing search problems)
2013-02-01 14:24:17 +04:00
Backend.flushForcedDbms()
kb.injection = popValue()
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
Minor style update for an Issue #377
2013-01-25 15:52:31 +04:00
if retVal:
Implementation for an Issue #363
2013-02-01 20:24:04 +04:00
infoMsg = "heuristic (extended) test shows that the back-end DBMS " # not as important as "parsing" counter-part (because of false-positives)
Minor style update for an Issue #377
2013-01-25 15:52:31 +04:00
infoMsg += "could be '%s' " % retVal
logger.info(infoMsg)
Implementation for an Issue #377
2013-01-25 15:34:57 +04:00
return retVal
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
def checkFalsePositives(injection):
"""
minor usability enhancement regarding warning for --text-only switch
2011-05-27 00:48:18 +04:00
Checks for false positives (only in single special cases)
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
"""
retVal = injection
minor update
2011-10-10 21:29:54 +04:00
if len(injection.data) == 1 and any(map(lambda x: x in injection.data, [PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED]))\
typo fix
2013-01-16 05:31:03 +04:00
or len(injection.data) == 2 and all(map(lambda x: x in injection.data, [PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED])):
# or len(injection.data) == 1 and 'Generic' in injection.data.values()[0].title and not Backend.getIdentifiedDbms():
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
pushValue(kb.injection)
cosmeticados
2011-04-25 04:36:09 +04:00
infoMsg = "checking if the injection point on %s " % injection.place
infoMsg += "parameter '%s' is a false positive" % injection.parameter
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
logger.info(infoMsg)
minor fix for some special "unusable" cases (seen on Access/ODBC/Linux setup)
2012-03-09 14:28:19 +04:00
def _():
return int(randomInt(2)) + 1
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
kb.injection = injection
Cosmetics and a missing param
2011-06-08 18:40:42 +04:00
# Simple arithmetic operations which should show basic
minor usability enhancement regarding warning for --text-only switch
2011-05-27 00:48:18 +04:00
# arithmetic ability of the backend if it's really injectable
Raising number of requests for false positive testing in case of higher levels
2014-02-23 22:40:01 +04:00
for i in xrange(conf.level):
Implementation for an Issue #204
2012-10-16 12:24:05 +04:00
randInt1, randInt2, randInt3 = (_() for j in xrange(3))
Removing arithmetic operations from false positive checking to minimize affect of character filtering ('>' and '=' have to stay because those are minimal requirements)
2013-06-26 12:55:34 +04:00
randInt1 = min(randInt1, randInt2, randInt3)
randInt3 = max(randInt1, randInt2, randInt3)
while randInt1 >= randInt2:
Implementation for an Issue #204
2012-10-16 12:24:05 +04:00
randInt2 = _()
Removing arithmetic operations from false positive checking to minimize affect of character filtering ('>' and '=' have to stay because those are minimal requirements)
2013-06-26 12:55:34 +04:00
while randInt2 >= randInt3:
randInt3 = _()
if not checkBooleanExpression("%d=%d" % (randInt1, randInt1)):
Implementation for an Issue #204
2012-10-16 12:24:05 +04:00
retVal = None
break
Minor update (one more just in case dummy request in false positive check for time-based injections - when DBMS could be unresponsive a bit due to previous heavy-queries)
2013-03-01 13:59:04 +04:00
# Just in case if DBMS hasn't properly recovered from previous delayed request
if PAYLOAD.TECHNIQUE.BOOLEAN not in injection.data:
Fixed incorrect call to checkBooleanExpression when testing for false positives
2013-03-02 01:51:34 +04:00
checkBooleanExpression("%d=%d" % (randInt1, randInt2))
Minor update (one more just in case dummy request in false positive check for time-based injections - when DBMS could be unresponsive a bit due to previous heavy-queries)
2013-03-01 13:59:04 +04:00
Removing arithmetic operations from false positive checking to minimize affect of character filtering ('>' and '=' have to stay because those are minimal requirements)
2013-06-26 12:55:34 +04:00
if checkBooleanExpression("%d>%d" % (randInt1, randInt2)):
Implementation for an Issue #204
2012-10-16 12:24:05 +04:00
retVal = None
break
Removing arithmetic operations from false positive checking to minimize affect of character filtering ('>' and '=' have to stay because those are minimal requirements)
2013-06-26 12:55:34 +04:00
elif checkBooleanExpression("%d>%d" % (randInt2, randInt3)):
Implementation for an Issue #204
2012-10-16 12:24:05 +04:00
retVal = None
break
Removing arithmetic operations from false positive checking to minimize affect of character filtering ('>' and '=' have to stay because those are minimal requirements)
2013-06-26 12:55:34 +04:00
elif not checkBooleanExpression("%d>%d" % (randInt3, randInt1)):
Implementation for an Issue #204
2012-10-16 12:24:05 +04:00
retVal = None
break
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
if retVal is None:
doing a dummy test for --os-shell in case of xp_cmdshell
2012-03-09 18:21:41 +04:00
warnMsg = "false positive or unexploitable injection point detected"
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
logger.warn(warnMsg)
Adding a small warning message (related to the Issue #407)
2013-02-22 14:12:41 +04:00
if PAYLOAD.TECHNIQUE.BOOLEAN in injection.data:
if all(_.__name__ != "between" for _ in kb.tamperFunctions):
warnMsg = "there is a possibility that the character '>' is "
warnMsg += "filtered by the back-end server. You can try "
warnMsg += "to rerun with '--tamper=between'"
logger.warn(warnMsg)
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 16:24:16 +04:00
kb.injection = popValue()
return retVal
typo fix
2013-01-16 05:31:03 +04:00
def checkSuhosinPatch(injection):
Implementation for an Issue #222
2012-10-25 15:21:32 +04:00
"""
typo fix
2013-01-16 05:31:03 +04:00
Checks for existence of Suhosin-patch (and alike) protection mechanism(s)
Implementation for an Issue #222
2012-10-25 15:21:32 +04:00
"""
if injection.place == PLACE.GET:
pushValue(kb.injection)
kb.injection = injection
randInt = randomInt()
Minor update
2013-05-15 15:38:26 +04:00
if not checkBooleanExpression("%d=%s%d" % (randInt, ' ' * SUHOSIN_MAX_VALUE_LENGTH, randInt)):
Implementation for an Issue #222
2012-10-25 15:21:32 +04:00
warnMsg = "parameter length constraint "
typo fix
2013-01-16 05:31:03 +04:00
warnMsg += "mechanism detected (e.g. Suhosin patch). "
Implementation for an Issue #222
2012-10-25 15:21:32 +04:00
warnMsg += "Potential problems in enumeration phase can be expected"
logger.warn(warnMsg)
kb.injection = popValue()
code review part 3
2011-01-15 16:15:10 +03:00
def heuristicCheckSqlInjection(place, parameter):
update of dynamicity testing and few misc fixes
2010-11-05 16:14:12 +03:00
if kb.nullConnection:
Minor text update
2013-07-08 14:38:36 +04:00
debugMsg = "heuristic check skipped "
update of dynamicity testing and few misc fixes
2010-11-05 16:14:12 +03:00
debugMsg += "because NULL connection used"
logger.debug(debugMsg)
minor update
2012-03-05 13:42:52 +04:00
return None
Better naming
2013-01-29 23:53:11 +04:00
if wasLastResponseDBMSError():
Minor text update
2013-07-08 14:38:36 +04:00
debugMsg = "heuristic check skipped "
minor update
2012-03-05 13:42:52 +04:00
debugMsg += "because original page content "
debugMsg += "contains DBMS error"
logger.debug(debugMsg)
return None
update of dynamicity testing and few misc fixes
2010-11-05 16:14:12 +03:00
Update for an Issue #161 (now detecting format error messages too)
2012-08-22 17:51:47 +04:00
origValue = conf.paramDict[place][parameter]
some updates
2010-10-11 16:26:35 +04:00
prefix = ""
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
suffix = ""
some updates
2010-10-11 16:26:35 +04:00
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
if conf.prefix or conf.suffix:
some updates
2010-10-11 16:26:35 +04:00
if conf.prefix:
prefix = conf.prefix
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
if conf.suffix:
suffix = conf.suffix
some updates
2010-10-11 16:26:35 +04:00
Minor refactoring/improvement
2012-10-28 03:42:08 +04:00
randStr = ""
while '\'' not in randStr:
randStr = randomStr(length=10, alphabet=HEURISTIC_CHECK_ALPHABET)
Removing reflective warning for parsing heuristic test
2013-07-08 13:48:33 +04:00
kb.heuristicMode = True
Minor refactoring/improvement
2012-10-28 03:42:08 +04:00
payload = "%s%s%s" % (prefix, randStr, suffix)
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
payload = agent.payload(place, parameter, newValue=payload)
speed optimization and bug fix (kb.absFilePaths were not stored previously; also, they are now extracted only in heuristic phase)
2011-11-22 12:39:13 +04:00
page, _ = Request.queryPage(payload, place, content=True, raise404=False)
Removing reflective warning for parsing heuristic test
2013-07-08 13:48:33 +04:00
kb.heuristicMode = False
speed optimization and bug fix (kb.absFilePaths were not stored previously; also, they are now extracted only in heuristic phase)
2011-11-22 12:39:13 +04:00
parseFilePaths(page)
Better naming
2013-01-29 23:53:11 +04:00
result = wasLastResponseDBMSError()
Cosmetic fixes
2010-10-16 19:10:48 +04:00
Minor language update
2013-03-26 17:18:37 +04:00
infoMsg = "heuristic (basic) test shows that %s " % place
minor update
2010-11-16 13:52:49 +03:00
infoMsg += "parameter '%s' might " % parameter
Cosmetic fixes
2010-10-16 19:10:48 +04:00
Update for an Issue #161 (now detecting format error messages too)
2012-08-22 17:51:47 +04:00
def _(page):
return any(_ in (page or "") for _ in FORMAT_EXCEPTION_STRINGS)
Implementation for an Issue #155
2012-08-20 14:14:01 +04:00
Update for an Issue #161 (now detecting format error messages too)
2012-08-22 17:51:47 +04:00
casting = _(page) and not _(kb.originalPage)
Implementation for an Issue #155
2012-08-20 14:14:01 +04:00
Update for an Issue #161 (now detecting format error messages too)
2012-08-22 17:51:47 +04:00
if not casting and not result and kb.dynamicParameter and origValue.isdigit():
randInt = int(randomInt())
payload = "%s%s%s" % (prefix, "%d-%d" % (int(origValue) + randInt, randInt), suffix)
payload = agent.payload(place, parameter, newValue=payload, where=PAYLOAD.WHERE.REPLACE)
result = Request.queryPage(payload, place, raise404=False)
Implementation of an Issue #161
2012-08-22 13:27:58 +04:00
Update for an Issue #161 (now detecting format error messages too)
2012-08-22 17:51:47 +04:00
if not result:
randStr = randomStr()
payload = "%s%s%s" % (prefix, "%s%s" % (origValue, randStr), suffix)
payload = agent.payload(place, parameter, newValue=payload, where=PAYLOAD.WHERE.REPLACE)
casting = Request.queryPage(payload, place, raise404=False)
some updates
2010-10-11 16:26:35 +04:00
Fix for an Issue #166
2012-08-29 22:21:45 +04:00
kb.heuristicTest = HEURISTIC_TEST.CASTED if casting else HEURISTIC_TEST.NEGATIVE if not result else HEURISTIC_TEST.POSITIVE
Implementation of an Issue #161
2012-08-22 13:27:58 +04:00
if casting:
Minor update
2012-08-22 17:53:40 +04:00
errMsg = "possible %s casting " % ("integer" if origValue.isdigit() else "type")
Minor typo fix
2013-07-08 13:52:46 +04:00
errMsg += "detected (e.g. \"$%s=intval($_REQUEST['%s'])\") " % (parameter, parameter)
Implementation of an Issue #161
2012-08-22 13:27:58 +04:00
errMsg += "at the back-end web application"
logger.error(errMsg)
Update for an Issue #161 (changing default readInput value regarding the conf.multipleTargets)
2012-08-22 18:06:09 +04:00
if kb.ignoreCasted is None:
Minor language update
2012-08-22 18:10:56 +04:00
message = "do you want to skip those kind of cases (and save scanning time)? %s " % ("[Y/n]" if conf.multipleTargets else "[y/N]")
Update for an Issue #161 (changing default readInput value regarding the conf.multipleTargets)
2012-08-22 18:06:09 +04:00
kb.ignoreCasted = readInput(message, default='Y' if conf.multipleTargets else 'N').upper() != 'N'
Implementation of an Issue #161
2012-08-22 13:27:58 +04:00
Update for an Issue #161 (now detecting format error messages too)
2012-08-22 17:51:47 +04:00
elif result:
Cosmetics
2013-02-05 13:02:11 +04:00
infoMsg += "be injectable"
if Backend.getErrorParsedDBMSes():
infoMsg += " (possible DBMS: '%s')" % Format.getErrorParsedDBMSes()
Update for an Issue #161 (now detecting format error messages too)
2012-08-22 17:51:47 +04:00
logger.info(infoMsg)
else:
infoMsg += "not be injectable"
logger.warn(infoMsg)
Update for an #161 (preventing further skipping of non-heuristic parameters in ignore casted case)
2012-08-22 13:56:30 +04:00
return kb.heuristicTest
kids, don't use this at home
2010-12-20 13:13:14 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def checkDynParam(place, parameter, value):
"""
Style and consistency update (url -> URL)
2013-04-09 13:48:42 +04:00
This function checks if the URL parameter is dynamic. If it is
After the storm, a restore..
2008-10-15 19:38:22 +04:00
dynamic, the content of the page differs, otherwise the
dynamicity might depend on another parameter.
"""
few more fixes for proper redirecting mechanism
2012-03-15 23:47:59 +04:00
if kb.redirectChoice:
return None
code refactoring and some fixes
2010-12-18 12:51:34 +03:00
kb.matchRatio = None
minor improvement
2012-01-14 00:56:06 +04:00
dynResult = None
randInt = randomInt()
minor update
2010-11-10 01:44:23 +03:00
sqlmap 0.6.3-rc4: minor enhancement to be able to specify extra HTTP headers by providing option --headers. By default Accept, Accept-Language and Accept-Charset headers are set. Added support to get the injection payload prefix and postfix from user. Minor bug fix to exclude image files when parsing (-l) proxies log files. Minor code adjustments. Updated documentation.
2008-12-09 00:24:24 +03:00
infoMsg = "testing if %s parameter '%s' is dynamic" % (place, parameter)
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
minor improvement
2012-01-14 00:56:06 +04:00
try:
payload = agent.payload(place, parameter, value, getUnicode(randInt))
dynResult = Request.queryPage(payload, place, raise404=False)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
minor improvement
2012-01-14 00:56:06 +04:00
if not dynResult:
infoMsg = "confirming that %s parameter '%s' is dynamic" % (place, parameter)
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
minor improvement
2012-01-14 00:56:06 +04:00
randInt = randomInt()
payload = agent.payload(place, parameter, value, getUnicode(randInt))
dynResult = Request.queryPage(payload, place, raise404=False)
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 17:14:19 +04:00
except SqlmapConnectionException:
minor improvement
2012-01-14 00:56:06 +04:00
pass
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Implementation for an Issue #155
2012-08-20 14:14:01 +04:00
result = None if dynResult is None else not dynResult
kb.dynamicParameter = result
return result
After the storm, a restore..
2008-10-15 19:38:22 +04:00
implementation of a new dynamic content removal engine
2010-10-25 14:41:37 +04:00
def checkDynamicContent(firstPage, secondPage):
changes regarding dynamic content recognition
2010-09-14 01:01:46 +04:00
"""
code refactoring
2010-12-29 22:39:32 +03:00
This function checks for the dynamic content in the provided pages
changes regarding dynamic content recognition
2010-09-14 01:01:46 +04:00
"""
added some debug messages
2010-11-04 12:18:32 +03:00
several bug fixes
2010-11-04 00:51:36 +03:00
if kb.nullConnection:
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
debugMsg = "dynamic content checking skipped "
added some debug messages
2010-11-04 12:18:32 +03:00
debugMsg += "because NULL connection used"
logger.debug(debugMsg)
several bug fixes
2010-11-04 00:51:36 +03:00
return
minor fix for a bug reported by yonnym@googlemail.com
2011-01-26 01:26:28 +03:00
if any(page is None for page in (firstPage, secondPage)):
warnMsg = "can't check dynamic content "
warnMsg += "because of lack of page content"
logger.critical(warnMsg)
return
slightly faster and thread safer inference
2011-01-16 13:52:42 +03:00
seqMatcher = getCurrentThreadData().seqMatcher
seqMatcher.set_seq1(firstPage)
seqMatcher.set_seq2(secondPage)
moved injections to xml format
2010-10-07 02:29:52 +04:00
code refactoring
2010-12-29 22:39:32 +03:00
# In case of an intolerable difference turn on dynamicity removal engine
slightly faster and thread safer inference
2011-01-16 13:52:42 +03:00
if seqMatcher.quick_ratio() <= UPPER_RATIO_BOUND:
code refactoring
2010-12-29 22:39:32 +03:00
findDynamicContent(firstPage, secondPage)
minor cosmetics
2010-10-25 23:45:53 +04:00
code refactoring
2010-12-29 22:39:32 +03:00
count = 0
while not Request.queryPage():
count += 1
implementation of a new dynamic content removal engine
2010-10-25 14:41:37 +04:00
code refactoring
2010-12-29 22:39:32 +03:00
if count > conf.retries:
Style and consistency update (url -> URL)
2013-04-09 13:48:42 +04:00
warnMsg = "target URL is too dynamic. "
modifying redirection code for only two choices
2012-03-18 21:27:08 +04:00
warnMsg += "Switching to '--text-only' "
automatically turn on --text-only in case of heavily-dynamicity instead of critical exit
2011-01-03 14:06:49 +03:00
logger.warn(warnMsg)
conf.textOnly = True
return
minor cosmetics
2010-10-25 23:45:53 +04:00
Style and consistency update (url -> URL)
2013-04-09 13:48:42 +04:00
warnMsg = "target URL is heavily dynamic"
Minor language cleanup
2012-10-04 20:28:36 +04:00
warnMsg += ". sqlmap is going to retry the request"
code refactoring
2010-12-29 22:39:32 +03:00
logger.critical(warnMsg)
minor cosmetics
2010-10-25 23:45:53 +04:00
code refactoring
2010-12-29 22:39:32 +03:00
secondPage, _ = Request.queryPage(content=True)
findDynamicContent(firstPage, secondPage)
fix for Bug #165
2010-09-13 17:31:01 +04:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def checkStability():
"""
This function checks if the URL content is stable requesting the
changes
2010-09-13 19:19:47 +04:00
same page two times with a small delay within each request to
After the storm, a restore..
2008-10-15 19:38:22 +04:00
assume that it is stable.
In case the content of the page differs when requesting
the same page, the dynamicity might depend on other parameters,
like for instance string matching (--string).
"""
Style and consistency update (url -> URL)
2013-04-09 13:48:42 +04:00
infoMsg = "testing if the target URL is stable. This can take a couple of seconds"
sqlmap 0.6.3-rc4: minor enhancement to be able to specify extra HTTP headers by providing option --headers. By default Accept, Accept-Language and Accept-Charset headers are set. Added support to get the injection payload prefix and postfix from user. Minor bug fix to exclude image files when parsing (-l) proxies log files. Minor code adjustments. Updated documentation.
2008-12-09 00:24:24 +03:00
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
minor code restyling
2012-02-22 19:53:36 +04:00
firstPage = kb.originalPage # set inside checkConnection()
Minor adjustment to UNION query SQL injection detection function. Updated command line help message based upon recent developments. Updated copyright note of lib/contrib/multipartpost.py.
2008-12-21 19:35:03 +03:00
time.sleep(1)
minor update
2011-11-29 20:59:06 +04:00
secondPage, _ = Request.queryPage(content=True, raise404=False)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
modifying redirection code for only two choices
2012-03-18 21:27:08 +04:00
if kb.redirectChoice:
return None
conf.md5hash thrown out
2010-10-25 17:52:21 +04:00
kb.pageStable = (firstPage == secondPage)
Initial support to automatically work around the dynamic page at each refresh (Major refactor to the comparison algorithm (True/False response))
2008-12-18 23:48:23 +03:00
conf.md5hash thrown out
2010-10-25 17:52:21 +04:00
if kb.pageStable:
fix for that md5 error reported by Dani (lgrecol@gmail.com)
2010-02-10 12:27:34 +03:00
if firstPage:
Style and consistency update (url -> URL)
2013-04-09 13:48:42 +04:00
infoMsg = "target URL is stable"
Minor variable rename
2011-04-30 19:29:59 +04:00
logger.info(infoMsg)
fix for that md5 error reported by Dani (lgrecol@gmail.com)
2010-02-10 12:27:34 +03:00
else:
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
errMsg = "there was an error checking the stability of page "
minor style update
2012-05-28 18:04:17 +04:00
errMsg += "because of lack of content. Please check the "
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
errMsg += "page request results (and probable errors) by "
errMsg += "using higher verbosity levels"
minor update for empty normal responses (like AJAX requests)
2011-08-05 14:55:21 +04:00
logger.error(errMsg)
Major bug fix in the comparison algorithm to correctly handle also the case that the url is stable and the False response changes the page content very little.
2009-02-09 13:28:03 +03:00
conf.md5hash thrown out
2010-10-25 17:52:21 +04:00
else:
Style and consistency update (url -> URL)
2013-04-09 13:48:42 +04:00
warnMsg = "target URL is not stable. sqlmap will base the page "
Cosmetic fixes
2010-10-16 19:10:48 +04:00
warnMsg += "comparison on a sequence matcher. If no dynamic nor "
warnMsg += "injectable parameters are detected, or in case of "
warnMsg += "junk results, refer to user's manual paragraph "
warnMsg += "'Page comparison' and provide a string or regular "
warnMsg += "expression to match on"
Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib SequenceMatcher object: this changed a lot into the structure of the code, has to be extensively beta-tested! Please, do report bugs on sqlmap-users mailing list if you scout them. Cheers, Bernardo
2008-12-20 04:54:08 +03:00
logger.warn(warnMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
removing --text-only from that "dynamicity" warning selection (other two are more preferable) and minor cosmetics/consistency
2011-01-16 22:29:06 +03:00
message = "how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] "
Minor cleanup
2012-08-20 13:40:49 +04:00
test = readInput(message, default="C")
Cosmetic fixes
2010-10-16 19:10:48 +04:00
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
if test and test[0] in ("q", "Q"):
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 17:14:19 +04:00
raise SqlmapUserQuitException
Cosmetic fixes
2010-10-16 19:10:48 +04:00
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
elif test and test[0] in ("s", "S"):
showStaticWords(firstPage, secondPage)
Cosmetic fixes
2010-10-16 19:10:48 +04:00
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
message = "please enter value for parameter 'string': "
test = readInput(message)
Cosmetic fixes
2010-10-16 19:10:48 +04:00
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
if test:
conf.string = test
added some debug messages
2010-11-04 12:18:32 +03:00
if kb.nullConnection:
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
debugMsg = "turning off NULL connection "
added some debug messages
2010-11-04 12:18:32 +03:00
debugMsg += "support because of string checking"
logger.debug(debugMsg)
kb.nullConnection = None
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
else:
bug fix (reported by ToR)
2010-11-10 22:44:51 +03:00
errMsg = "Empty value supplied"
Replacing old and deprecated raise Exception style (PEP8)
2013-01-04 02:20:55 +04:00
raise SqlmapNoneDataException(errMsg)
Cosmetic fixes
2010-10-16 19:10:48 +04:00
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
elif test and test[0] in ("r", "R"):
message = "please enter value for parameter 'regex': "
test = readInput(message)
Cosmetic fixes
2010-10-16 19:10:48 +04:00
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
if test:
conf.regex = test
added some debug messages
2010-11-04 12:18:32 +03:00
if kb.nullConnection:
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
debugMsg = "turning off NULL connection "
added some debug messages
2010-11-04 12:18:32 +03:00
debugMsg += "support because of regex checking"
logger.debug(debugMsg)
kb.nullConnection = None
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
else:
bug fix (reported by ToR)
2010-11-10 22:44:51 +03:00
errMsg = "Empty value supplied"
Replacing old and deprecated raise Exception style (PEP8)
2013-01-04 02:20:55 +04:00
raise SqlmapNoneDataException(errMsg)
minor update
2011-01-06 11:54:50 +03:00
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
else:
code refactoring
2010-12-29 22:39:32 +03:00
checkDynamicContent(firstPage, secondPage)
minor update
2010-11-29 18:25:45 +03:00
conf.md5hash thrown out
2010-10-25 17:52:21 +04:00
return kb.pageStable
Minor layout adjustment and typo fix
2010-03-12 15:23:05 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def checkString():
if not conf.string:
return True
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
infoMsg = "testing if the provided string is within the "
sqlmap 0.6.3-rc4: minor enhancement to be able to specify extra HTTP headers by providing option --headers. By default Accept, Accept-Language and Accept-Charset headers are set. Added support to get the injection payload prefix and postfix from user. Minor bug fix to exclude image files when parsing (-l) proxies log files. Minor code adjustments. Updated documentation.
2008-12-09 00:24:24 +03:00
infoMsg += "target URL page content"
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Search for --string and --regexp matches also in HTTP response headers
2011-08-12 19:33:37 +04:00
page, headers = Request.queryPage(content=True)
rawResponse = "%s%s" % (listToStrValue(headers.headers if headers else ""), page)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Search for --string and --regexp matches also in HTTP response headers
2011-08-12 19:33:37 +04:00
if conf.string not in rawResponse:
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
warnMsg = "you provided '%s' as the string to " % conf.string
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
warnMsg += "match, but such a string is not within the target "
Search for --string and --regexp matches also in HTTP response headers
2011-08-12 19:33:37 +04:00
warnMsg += "URL raw response, sqlmap will carry on anyway"
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
logger.warn(warnMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
return True
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.
2008-12-12 22:06:31 +03:00
def checkRegexp():
if not conf.regexp:
return True
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
infoMsg = "testing if the provided regular expression matches within "
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.
2008-12-12 22:06:31 +03:00
infoMsg += "the target URL page content"
logger.info(infoMsg)
Search for --string and --regexp matches also in HTTP response headers
2011-08-12 19:33:37 +04:00
page, headers = Request.queryPage(content=True)
rawResponse = "%s%s" % (listToStrValue(headers.headers if headers else ""), page)
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.
2008-12-12 22:06:31 +03:00
Search for --string and --regexp matches also in HTTP response headers
2011-08-12 19:33:37 +04:00
if not re.search(conf.regexp, rawResponse, re.I | re.M):
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase. Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2011-01-19 02:03:50 +03:00
warnMsg = "you provided '%s' as the regular expression to " % conf.regexp
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
warnMsg += "match, but such a regular expression does not have any "
Search for --string and --regexp matches also in HTTP response headers
2011-08-12 19:33:37 +04:00
warnMsg += "match within the target URL raw response, sqlmap "
warnMsg += "will carry on anyway"
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
logger.warn(warnMsg)
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.
2008-12-12 22:06:31 +03:00
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
return True
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.
2008-12-12 22:06:31 +03:00
few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation")
2011-07-06 09:44:47 +04:00
def checkWaf():
"""
Reference: http://seclists.org/nmap-dev/2011/q2/att-1005/http-waf-detect.nse
"""
if not conf.checkWaf:
return False
Minor text update
2013-07-08 14:38:36 +04:00
infoMsg = "heuristically checking if the target is protected by "
few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation")
2011-07-06 09:44:47 +04:00
infoMsg += "some kind of WAF/IPS/IDS"
logger.info(infoMsg)
retVal = False
backup = dict(conf.parameters)
Minor text update
2013-07-08 14:44:14 +04:00
payload = "%d %s" % (randomInt(), IDS_WAF_CHECK_PAYLOAD)
few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation")
2011-07-06 09:44:47 +04:00
conf.parameters = dict(backup)
conf.parameters[PLACE.GET] = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + "&"
Minor text update
2013-07-08 14:44:14 +04:00
conf.parameters[PLACE.GET] += "%s=%s" % (randomStr(), payload)
logger.log(CUSTOM_LOGGING.PAYLOAD, payload)
few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation")
2011-07-06 09:44:47 +04:00
kb.matchRatio = None
removing of unused imports together with some general code refactoring
2012-02-22 14:40:11 +04:00
Request.queryPage()
few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation")
2011-07-06 09:44:47 +04:00
if kb.errorIsNone and kb.matchRatio is None:
kb.matchRatio = LOWER_RATIO_BOUND
conf.parameters = dict(backup)
conf.parameters[PLACE.GET] = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + "&"
conf.parameters[PLACE.GET] += "%s=%d" % (randomStr(), randomInt())
trueResult = Request.queryPage()
if trueResult:
conf.parameters = dict(backup)
conf.parameters[PLACE.GET] = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + "&"
conf.parameters[PLACE.GET] += "%s=%d %s" % (randomStr(), randomInt(), IDS_WAF_CHECK_PAYLOAD)
falseResult = Request.queryPage()
if not falseResult:
retVal = True
conf.parameters = dict(backup)
if retVal:
cosmetics
2011-07-07 00:41:13 +04:00
warnMsg = "it appears that the target is protected. Please "
some estetic updates
2012-02-01 18:49:42 +04:00
warnMsg += "consider usage of tamper scripts (option '--tamper')"
few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation")
2011-07-06 09:44:47 +04:00
logger.warn(warnMsg)
else:
infoMsg = "it appears that the target is not protected"
logger.info(infoMsg)
return retVal
Update for an Issue #290 (adding tamper-like scripts into (new) directory waf)
2013-02-21 14:14:57 +04:00
def identifyWaf():
if not conf.identifyWaf:
return None
Minor update for an Issue #290
2013-02-26 14:08:06 +04:00
kb.testMode = True
Update for an Issue #290 (adding tamper-like scripts into (new) directory waf)
2013-02-21 14:14:57 +04:00
infoMsg = "using WAF scripts to detect "
infoMsg += "backend WAF/IPS/IDS protection"
logger.info(infoMsg)
Finalizing implementation for an Issue #290
2013-02-21 17:33:12 +04:00
@cachedmethod
def _(*args, **kwargs):
Minor fix
2013-03-19 22:06:51 +04:00
page, headers, code = None, None, None
Finalizing implementation for an Issue #290
2013-02-21 17:33:12 +04:00
try:
if kwargs.get("get"):
kwargs["get"] = urlencode(kwargs["get"])
kwargs["raise404"] = False
Code refactoring
2013-03-19 22:24:14 +04:00
kwargs["silent"] = True
Minor fix
2013-03-19 22:06:51 +04:00
page, headers, code = Request.getPage(*args, **kwargs)
except Exception:
pass
return page or "", headers or {}, code
Finalizing implementation for an Issue #290
2013-02-21 17:33:12 +04:00
Update for an Issue #290 (adding tamper-like scripts into (new) directory waf)
2013-02-21 14:14:57 +04:00
retVal = False
Minor refactoring for an Issue #290
2013-02-21 17:39:22 +04:00
for function, product in kb.wafFunctions:
try:
Minor style update
2013-02-21 17:52:56 +04:00
logger.debug("checking for WAF/IDS/IPS product '%s'" % product)
Finalizing implementation for an Issue #290
2013-02-21 17:33:12 +04:00
found = function(_)
Minor refactoring for an Issue #290
2013-02-21 17:39:22 +04:00
except Exception, ex:
Minor fix
2013-07-31 11:22:45 +04:00
errMsg = "exception occurred while running "
Minor refactoring for an Issue #290
2013-02-21 17:39:22 +04:00
errMsg += "WAF script for '%s' ('%s')" % (product, ex)
logger.critical(errMsg)
found = False
Finalizing implementation for an Issue #290
2013-02-21 17:33:12 +04:00
Update for an Issue #290 (adding tamper-like scripts into (new) directory waf)
2013-02-21 14:14:57 +04:00
if found:
retVal = product
break
if retVal:
Minor style update
2013-02-26 14:16:09 +04:00
errMsg = "WAF/IDS/IPS identified '%s'. Please " % retVal
Minor refactoring for an Issue #290
2013-02-21 17:39:22 +04:00
errMsg += "consider usage of tamper scripts (option '--tamper')"
logger.critical(errMsg)
Adding a question after WAF has been identified
2013-05-18 20:26:40 +04:00
Minor cosmetic update
2013-05-18 20:28:44 +04:00
message = "are you sure that you want to "
message += "continue with further target testing? [y/N] "
Adding a question after WAF has been identified
2013-05-18 20:26:40 +04:00
output = readInput(message, default="N")
if output and output[0] not in ("Y", "y"):
raise SqlmapUserQuitException
Update for an Issue #290 (adding tamper-like scripts into (new) directory waf)
2013-02-21 14:14:57 +04:00
else:
Changing from warn to info for no WAF found
2013-02-22 15:15:38 +04:00
infoMsg = "no WAF/IDS/IPS product has been identified"
logger.info(infoMsg)
Update for an Issue #290 (adding tamper-like scripts into (new) directory waf)
2013-02-21 14:14:57 +04:00
Minor update for an Issue #290
2013-02-26 14:08:06 +04:00
kb.testMode = False
Update for an Issue #290 (adding tamper-like scripts into (new) directory waf)
2013-02-21 14:14:57 +04:00
return retVal
added null connection check
2010-09-16 12:43:10 +04:00
def checkNullConnection():
Minor comment
2010-10-15 15:17:17 +04:00
"""
Reference: http://www.wisec.it/sectou.php?id=472f952d79293
"""
Fix for an Issue #152
2012-08-20 12:41:43 +04:00
if conf.data:
return False
Style and consistency update (url -> URL)
2013-04-09 13:48:42 +04:00
infoMsg = "testing NULL connection to the target URL"
added null connection check
2010-09-16 12:43:10 +04:00
logger.info(infoMsg)
Minor fix
2013-05-17 18:04:05 +04:00
pushValue(kb.pageCompress)
kb.pageCompress = False
added null connection check
2010-09-16 12:43:10 +04:00
try:
Added --code switch to match in boolean-based tests against the HTTP response code
2011-08-12 20:48:11 +04:00
page, headers, _ = Request.getPage(method=HTTPMETHOD.HEAD)
minor refactoring
2010-12-06 18:50:19 +03:00
Update for consistency (all other enums are using _ in between words)
2013-03-20 14:10:24 +04:00
if not page and HTTP_HEADER.CONTENT_LENGTH in (headers or {}):
minor update
2010-11-08 12:49:57 +03:00
kb.nullConnection = NULLCONNECTION.HEAD
More verbose messages on successful --null-connection
2010-10-15 14:24:54 +04:00
Cosmetic fix
2010-10-15 16:46:41 +04:00
infoMsg = "NULL connection is supported with HEAD header"
More verbose messages on successful --null-connection
2010-10-15 14:24:54 +04:00
logger.info(infoMsg)
added null connection check
2010-09-16 12:43:10 +04:00
else:
Update for consistency (all other enums are using _ in between words)
2013-03-20 14:10:24 +04:00
page, headers, _ = Request.getPage(auxHeaders={HTTP_HEADER.RANGE: "bytes=-1"})
minor refactoring
2010-12-06 18:50:19 +03:00
Update for consistency (all other enums are using _ in between words)
2013-03-20 14:10:24 +04:00
if page and len(page) == 1 and HTTP_HEADER.CONTENT_RANGE in (headers or {}):
minor update
2010-11-08 12:49:57 +03:00
kb.nullConnection = NULLCONNECTION.RANGE
added null connection check
2010-09-16 12:43:10 +04:00
Cosmetic fix
2010-10-15 16:46:41 +04:00
infoMsg = "NULL connection is supported with GET header "
More verbose messages on successful --null-connection
2010-10-15 14:24:54 +04:00
infoMsg += "'%s'" % kb.nullConnection
logger.info(infoMsg)
Implementation for an Issue #450
2013-05-17 17:04:25 +04:00
else:
_, headers, _ = Request.getPage(skipRead = True)
if HTTP_HEADER.CONTENT_LENGTH in (headers or {}):
kb.nullConnection = NULLCONNECTION.SKIP_READ
infoMsg = "NULL connection is supported with 'skip-read' method"
logger.info(infoMsg)
minor refactoring
2010-12-06 18:50:19 +03:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 17:14:19 +04:00
except SqlmapConnectionException, errMsg:
added null connection check
2010-09-16 12:43:10 +04:00
errMsg = getUnicode(errMsg)
Replacing old and deprecated raise Exception style (PEP8)
2013-01-04 02:20:55 +04:00
raise SqlmapConnectionException(errMsg)
added null connection check
2010-09-16 12:43:10 +04:00
Minor fix
2013-05-17 18:04:05 +04:00
kb.pageCompress = popValue()
added null connection check
2010-09-16 12:43:10 +04:00
return kb.nullConnection is not None
minor update
2010-11-15 15:19:22 +03:00
def checkConnection(suppressOutput=False):
Adding a hidden switch --dummy used for dummy runs (getPage() returns random data) - usefull for testing purposes for skipping connections
2013-02-28 23:20:08 +04:00
if not any((conf.proxy, conf.tor, conf.dummy)):
minor update
2011-06-24 21:19:24 +04:00
try:
socket.getaddrinfo(conf.hostname, None)
except socket.gaierror:
errMsg = "host '%s' does not exist" % conf.hostname
Minor fix
2013-07-31 11:22:45 +04:00
raise SqlmapConnectionException(errMsg)
except socket.error, ex:
errMsg = "problem occurred while "
errMsg += "resolving a host name '%s' ('%s')" % (conf.hostname, str(ex))
Replacing old and deprecated raise Exception style (PEP8)
2013-01-04 02:20:55 +04:00
raise SqlmapConnectionException(errMsg)
added test for site existance
2010-05-21 17:36:49 +04:00
Minor style update
2013-02-28 23:28:34 +04:00
if not suppressOutput and not conf.dummy:
Style and consistency update (url -> URL)
2013-04-09 13:48:42 +04:00
infoMsg = "testing connection to the target URL"
minor update
2010-11-15 15:19:22 +03:00
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
try:
Fix for an Issue #640
2014-03-15 01:20:20 +04:00
Request.queryPage(content=True, noteResponseTime=False) # dropping first page because it can be totally different than subsequent (e.g. WebGoat) before the Cookie is set up
initial page request can result in unwanted lag (e.g. slow DNS response,...), hence it's response time shouldn't be a part of response time statistical model
2011-04-19 12:55:38 +04:00
page, _ = Request.queryPage(content=True, noteResponseTime=False)
OR based inference works for the first time in history and fingerprint of 4 major DBMSes is now injection based (instead of AND)
2010-12-06 21:20:57 +03:00
kb.originalPage = kb.pageTemplate = page
minor update
2011-01-01 23:19:55 +03:00
kb.errorIsNone = False
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
Better naming
2013-01-29 23:53:11 +04:00
if not kb.originalPage and wasLastResponseHTTPError():
minor fix for a bug reported by yonnym@googlemail.com
2011-01-26 01:26:28 +03:00
errMsg = "unable to retrieve page content"
Replacing old and deprecated raise Exception style (PEP8)
2013-01-04 02:20:55 +04:00
raise SqlmapConnectionException(errMsg)
Better naming
2013-01-29 23:53:11 +04:00
elif wasLastResponseDBMSError():
minor typo fixes
2012-07-17 03:25:02 +04:00
warnMsg = "there is a DBMS error found in the HTTP response body "
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
warnMsg += "which could interfere with the results of the tests"
minor update
2011-01-01 23:19:55 +03:00
logger.warn(warnMsg)
Better naming
2013-01-29 23:53:11 +04:00
elif wasLastResponseHTTPError():
minor improvement
2012-01-14 00:56:06 +04:00
warnMsg = "the web server responded with an HTTP error code (%d) " % getLastRequestHTTPError()
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
warnMsg += "which could interfere with the results of the tests"
minor update
2011-01-01 23:19:55 +03:00
logger.warn(warnMsg)
else:
kb.errorIsNone = True
minor update
2012-05-25 12:30:24 +04:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 17:14:19 +04:00
except SqlmapConnectionException, errMsg:
more unicode refactoring
2010-06-02 16:45:40 +04:00
errMsg = getUnicode(errMsg)
minor update (for cases with 404 original page - e.g. time based injections in some cases)
2011-11-21 03:11:18 +04:00
logger.critical(errMsg)
minor update
2012-05-25 12:30:24 +04:00
if conf.ipv6:
warnMsg = "check connection to a provided "
warnMsg += "IPv6 address with a tool like ping6 "
Minor cosmetics
2013-05-20 00:17:53 +04:00
warnMsg += "(e.g. 'ping6 -I eth0 %s') " % conf.hostname
minor update
2012-05-25 12:30:24 +04:00
warnMsg += "prior to running sqlmap to avoid "
warnMsg += "any addressing issues"
singleTimeWarnMessage(warnMsg)
minor beautification
2011-12-16 03:33:44 +04:00
if any(code in kb.httpErrorCodes for code in (httplib.NOT_FOUND, )):
minor fix
2012-02-07 15:16:03 +04:00
if conf.multipleTargets:
return False
minor update
2011-12-16 03:29:11 +04:00
msg = "it is not recommended to continue in this kind of cases. Do you want to quit and make sure that everything is set up properly? [Y/n] "
if readInput(msg, default="Y") not in ("n", "N"):
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 17:14:19 +04:00
raise SqlmapSilentQuitException
minor update
2011-12-16 03:29:11 +04:00
else:
kb.ignoreNotFound = True
minor update
2011-12-05 13:25:56 +04:00
else:
minor update
2011-12-16 03:29:11 +04:00
raise
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return True
Adding change verbosity level in testing phase when Ctrl+C pressed
2013-10-17 18:54:53 +04:00
def setVerbosity(): # Cross-linked function
raise NotImplementedError
Reference in New Issue Copy Permalink