sqlmap/lib/core/settings.py

587 lines
24 KiB
Python
Raw Normal View History

#!/usr/bin/env python
2008-10-15 19:38:22 +04:00
"""
2013-01-18 18:07:51 +04:00
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
2008-10-15 19:38:22 +04:00
"""
2010-05-21 16:09:31 +04:00
import os
2012-07-01 03:19:54 +04:00
import re
import subprocess
2012-07-01 03:19:54 +04:00
import string
2008-10-15 19:38:22 +04:00
import sys
2011-01-15 18:14:22 +03:00
from lib.core.enums import DBMS
2012-02-16 13:32:47 +04:00
from lib.core.enums import DBMS_DIRECTORY_NAME
2013-05-09 16:26:29 +04:00
from lib.core.enums import OS
from lib.core.revision import getRevisionNumber
2008-10-15 19:38:22 +04:00
# sqlmap version and site
2011-04-30 17:20:05 +04:00
VERSION = "1.0-dev"
REVISION = getRevisionNumber()
2012-07-03 15:06:52 +04:00
VERSION_STRING = "sqlmap/%s%s" % (VERSION, "-%s" % REVISION if REVISION else "")
2011-04-30 17:20:05 +04:00
DESCRIPTION = "automatic SQL injection and database takeover tool"
2012-07-03 16:14:39 +04:00
SITE = "http://sqlmap.org"
2012-07-05 19:26:50 +04:00
ISSUES_PAGE = "https://github.com/sqlmapproject/sqlmap/issues/new"
2012-07-08 21:24:25 +04:00
GIT_REPOSITORY = "git://github.com/sqlmapproject/sqlmap.git"
2011-04-30 17:20:05 +04:00
ML = "sqlmap-users@lists.sourceforge.net"
2008-10-15 19:38:22 +04:00
2012-10-02 16:23:58 +04:00
# Minimum distance of ratio from kb.matchRatio to result in True
2011-04-30 17:20:05 +04:00
DIFF_TOLERANCE = 0.05
CONSTANT_RATIO = 0.9
2010-11-10 01:32:05 +03:00
2012-10-02 16:23:58 +04:00
# Lower and upper values for match ratio in case of stable page
LOWER_RATIO_BOUND = 0.02
UPPER_RATIO_BOUND = 0.98
2012-10-02 16:23:58 +04:00
# Markers for special cases when parameter values contain html encoded characters
PARAMETER_AMP_MARKER = "__AMP__"
PARAMETER_SEMICOLON_MARKER = "__SEMICOLON__"
2013-01-25 19:38:41 +04:00
PARTIAL_VALUE_MARKER = "__PARTIAL_VALUE__"
PARTIAL_HEX_VALUE_MARKER = "__PARTIAL_HEX_VALUE__"
URI_QUESTION_MARKER = "__QUESTION_MARK__"
2012-11-14 18:54:24 +04:00
ASTERISK_MARKER = "__ASTERISK_MARK__"
REPLACEMENT_MARKER = "__REPLACEMENT_MARK__"
2011-04-30 17:20:05 +04:00
PAYLOAD_DELIMITER = "\x00"
2010-12-10 14:32:46 +03:00
CHAR_INFERENCE_MARK = "%c"
PRINTABLE_CHAR_REGEX = r"[^\x00-\x1f\x7f-\xff]"
2012-10-02 16:23:58 +04:00
# Regular expression used for recognition of generic permission messages
2012-10-02 15:36:15 +04:00
PERMISSION_DENIED_REGEX = r"(command|permission|access)\s*(was|is)?\s*denied"
2012-10-02 16:23:58 +04:00
# Regular expression used for recognition of generic maximum connection messages
2012-10-02 15:36:15 +04:00
MAX_CONNECTIONS_REGEX = r"max.+connections"
2012-10-02 16:23:58 +04:00
# Regular expression used for extracting results from google search
2013-02-25 14:07:30 +04:00
GOOGLE_REGEX = r"url\?\w+=((?![^>]+webcache\.googleusercontent\.com)http[^>]+)&(sa=U|rct=j)"
2012-10-02 16:23:58 +04:00
# Regular expression used for extracting content from "textual" tags
TEXT_TAG_REGEX = r"(?si)<(abbr|acronym|b|blockquote|br|center|cite|code|dt|em|font|h\d|i|li|p|pre|q|strong|sub|sup|td|th|title|tt|u)(?!\w).*?>(?P<result>[^<]+)"
2012-02-20 14:02:19 +04:00
2013-05-09 16:26:29 +04:00
# Regular expression used for recognition of IP addresses
IP_ADDRESS_REGEX = r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"
2012-10-02 16:23:58 +04:00
# Dumping characters used in GROUP_CONCAT MySQL technique
2011-04-30 17:20:05 +04:00
CONCAT_ROW_DELIMITER = ','
CONCAT_VALUE_DELIMITER = '|'
2012-10-02 16:23:58 +04:00
# Coefficient used for a time-based query delay checking (must be >= 7)
TIME_STDEV_COEFF = 7
2013-01-30 00:06:02 +04:00
# Minimum response time that can be even considered as delayed (not a complete requirement)
MIN_VALID_DELAYED_RESPONSE = 0.5
2012-10-02 16:23:58 +04:00
# Standard deviation after which a warning message should be displayed about connection lags
2011-04-19 14:37:20 +04:00
WARN_TIME_STDEV = 0.5
2012-10-02 16:23:58 +04:00
# Minimum length of usable union injected response (quick defense against substr fields)
UNION_MIN_RESPONSE_CHARS = 10
2012-10-02 16:23:58 +04:00
# Coefficient used for a union-based number of columns checking (must be >= 7)
2011-02-02 14:22:35 +03:00
UNION_STDEV_COEFF = 7
2012-10-02 16:23:58 +04:00
# Length of queue for candidates for time delay adjustment
TIME_DELAY_CANDIDATES = 3
2012-10-02 16:23:58 +04:00
# Default value for HTTP Accept header
HTTP_ACCEPT_HEADER_VALUE = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
2012-10-02 16:23:58 +04:00
# Default value for HTTP Accept-Encoding header
2012-07-23 16:14:22 +04:00
HTTP_ACCEPT_ENCODING_HEADER_VALUE = "gzip,deflate"
2013-03-19 22:24:14 +04:00
# Default timeout for running commands over backdoor
BACKDOOR_RUN_CMD_TIMEOUT = 5
2011-02-22 16:00:58 +03:00
2012-10-02 16:23:58 +04:00
# Maximum number of techniques used in inject.py/getValue() per one value
2010-12-21 18:26:23 +03:00
MAX_TECHNIQUES_PER_VALUE = 2
2012-10-02 16:23:58 +04:00
# Suffix used for naming meta databases in DBMS(es) without explicit database name
METADB_SUFFIX = "_masterdb"
2012-10-02 16:23:58 +04:00
# Minimum time response set needed for time-comparison based on standard deviation
MIN_TIME_RESPONSES = 15
2012-10-02 16:23:58 +04:00
# Minimum comparison ratio set needed for searching valid union column number based on standard deviation
2011-02-02 16:03:24 +03:00
MIN_UNION_RESPONSES = 5
2012-10-02 16:23:58 +04:00
# After these number of blanks at the end inference should stop (just in case)
2012-01-30 14:19:03 +04:00
INFERENCE_BLANK_BREAK = 10
2012-10-02 16:23:58 +04:00
# Use this replacement character for cases when inference is not able to retrieve the proper character value
INFERENCE_UNKNOWN_CHAR = '?'
2012-10-02 16:23:58 +04:00
# Character used for operation "greater" in inference
INFERENCE_GREATER_CHAR = ">"
2012-10-02 16:23:58 +04:00
# Character used for operation "equals" in inference
INFERENCE_EQUALS_CHAR = "="
2012-10-02 16:23:58 +04:00
# Character used for operation "not-equals" in inference
INFERENCE_NOT_EQUALS_CHAR = "!="
2013-01-25 15:34:57 +04:00
# String used for representation of unknown dbms
UNKNOWN_DBMS = "Unknown"
2012-10-02 16:23:58 +04:00
# String used for representation of unknown dbms version
2010-12-21 18:13:13 +03:00
UNKNOWN_DBMS_VERSION = "Unknown"
2012-10-02 16:23:58 +04:00
# Dynamicity mark length used in dynamicity removal engine
2010-12-24 14:06:57 +03:00
DYNAMICITY_MARK_LENGTH = 32
2012-10-02 16:23:58 +04:00
# Dummy user prefix used in dictionary attack
DUMMY_USER_PREFIX = "__dummy__"
# Reference: http://en.wikipedia.org/wiki/ISO/IEC_8859-1
DEFAULT_PAGE_ENCODING = "iso-8859-1"
# URL used in dummy runs
DUMMY_URL = "http://foo/bar?id=1"
# System variables
2011-04-30 17:20:05 +04:00
IS_WIN = subprocess.mswindows
2012-10-02 16:23:58 +04:00
# The name of the operating system dependent module imported. The following names have currently been registered: 'posix', 'nt', 'mac', 'os2', 'ce', 'java', 'riscos'
2011-04-30 17:20:05 +04:00
PLATFORM = os.name
PYVERSION = sys.version.split()[0]
# Database management system specific variables
MSSQL_SYSTEM_DBS = ("Northwind", "master", "model", "msdb", "pubs", "tempdb")
MYSQL_SYSTEM_DBS = ("information_schema", "mysql") # Before MySQL 5.0 only "mysql"
PGSQL_SYSTEM_DBS = ("information_schema", "pg_catalog", "pg_toast")
2013-01-15 18:51:29 +04:00
ORACLE_SYSTEM_DBS = ("CTXSYS", "DBSNMP", "DMSYS", "EXFSYS", "MDSYS", "OLAPSYS", "ORDSYS", "OUTLN", "SYS", "SYSAUX", "SYSMAN", "SYSTEM", "TSMSYS", "WMSYS", "XDB") # These are TABLESPACE_NAME
SQLITE_SYSTEM_DBS = ("sqlite_master", "sqlite_temp_master")
ACCESS_SYSTEM_DBS = ("MSysAccessObjects", "MSysACEs", "MSysObjects", "MSysQueries", "MSysRelationships", "MSysAccessStorage",\
"MSysAccessXML", "MSysModules", "MSysModules2")
FIREBIRD_SYSTEM_DBS = ("RDB$BACKUP_HISTORY", "RDB$CHARACTER_SETS", "RDB$CHECK_CONSTRAINTS", "RDB$COLLATIONS", "RDB$DATABASE",\
"RDB$DEPENDENCIES", "RDB$EXCEPTIONS", "RDB$FIELDS", "RDB$FIELD_DIMENSIONS", " RDB$FILES", "RDB$FILTERS",\
"RDB$FORMATS", "RDB$FUNCTIONS", "RDB$FUNCTION_ARGUMENTS", "RDB$GENERATORS", "RDB$INDEX_SEGMENTS", "RDB$INDICES",\
"RDB$LOG_FILES", "RDB$PAGES", "RDB$PROCEDURES", "RDB$PROCEDURE_PARAMETERS", "RDB$REF_CONSTRAINTS", "RDB$RELATIONS",\
"RDB$RELATION_CONSTRAINTS", "RDB$RELATION_FIELDS", "RDB$ROLES", "RDB$SECURITY_CLASSES", "RDB$TRANSACTIONS", "RDB$TRIGGERS",\
"RDB$TRIGGER_MESSAGES", "RDB$TYPES", "RDB$USER_PRIVILEGES", "RDB$VIEW_RELATIONS")
MAXDB_SYSTEM_DBS = ("SYSINFO", "DOMAIN")
SYBASE_SYSTEM_DBS = ("master", "model", "sybsystemdb", "sybsystemprocs")
DB2_SYSTEM_DBS = ("NULLID", "SQLJ", "SYSCAT", "SYSFUN", "SYSIBM", "SYSIBMADM", "SYSIBMINTERNAL", "SYSIBMTS",\
"SYSPROC", "SYSPUBLIC", "SYSSTAT", "SYSTOOLS")
MSSQL_ALIASES = ("microsoft sql server", "mssqlserver", "mssql", "ms")
MYSQL_ALIASES = ("mysql", "my")
PGSQL_ALIASES = ("postgresql", "postgres", "pgsql", "psql", "pg")
ORACLE_ALIASES = ("oracle", "orcl", "ora", "or")
SQLITE_ALIASES = ("sqlite", "sqlite3")
ACCESS_ALIASES = ("msaccess", "access", "jet", "microsoft access")
FIREBIRD_ALIASES = ("firebird", "mozilla firebird", "interbase", "ibase", "fb")
MAXDB_ALIASES = ("maxdb", "sap maxdb", "sap db")
SYBASE_ALIASES = ("sybase", "sybase sql server")
DB2_ALIASES = ("db2", "ibm db2", "ibmdb2")
2011-04-30 17:20:05 +04:00
2012-02-16 13:32:47 +04:00
DBMS_DIRECTORY_DICT = dict((getattr(DBMS, _), getattr(DBMS_DIRECTORY_NAME, _)) for _ in dir(DBMS) if not _.startswith("_"))
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES
SUPPORTED_OS = ("linux", "windows")
USER_AGENT_ALIASES = ("ua", "useragent", "user-agent")
REFERER_ALIASES = ("ref", "referer", "referrer")
HOST_ALIASES = ("host",)
2012-10-02 16:23:58 +04:00
# Items displayed in basic help (-h) output
2012-07-03 14:09:18 +04:00
BASIC_HELP_ITEMS = (
"url",
"googleDork",
"data",
"cookie",
"randomAgent",
"proxy",
"testParameter",
"dbms",
"level",
"risk",
"tech",
2012-10-05 12:24:09 +04:00
"getAll",
2012-07-03 14:09:18 +04:00
"getBanner",
"getCurrentUser",
"getCurrentDb",
"getPasswordHashes",
"getTables",
"getColumns",
"getSchema",
"dumpTable",
"dumpAll",
"db",
"tbl",
"col",
"osShell",
"osPwn",
"batch",
"checkTor",
"flushSession",
"tor",
2013-01-10 18:02:28 +04:00
"wizard",
2012-07-03 14:09:18 +04:00
)
2012-10-02 16:23:58 +04:00
# String representation for NULL value
2012-02-07 14:46:55 +04:00
NULL = "NULL"
2012-10-02 16:23:58 +04:00
# String representation for blank ('') value
2012-03-14 17:52:23 +04:00
BLANK = "<blank>"
2012-10-02 16:23:58 +04:00
# String representation for current database
2012-02-16 18:42:28 +04:00
CURRENT_DB = "CD"
2011-03-29 16:08:07 +04:00
# Regular expressions used for parsing error messages (--parse-errors)
ERROR_PARSING_REGEXES = (
r"<b>[^<]*(fatal|error|warning|exception)[^<]*</b>:?\s*(?P<result>.+?)<br\s*/?\s*>",
2012-06-18 02:48:23 +04:00
r"(?m)^(fatal|error|warning|exception):?\s*(?P<result>.+?)$",
r"<li>Error Type:<br>(?P<result>.+?)</li>",
2013-01-10 18:02:28 +04:00
r"error '[0-9a-f]{8}'((<[^>]+>)|\s)+(?P<result>[^<>]+)",
)
2011-03-29 16:08:07 +04:00
# Regular expression used for parsing charset info from meta html headers
2012-12-03 15:13:59 +04:00
META_CHARSET_REGEX = r'(?si)<head>.*<meta http-equiv="?content-type"?[^>]+charset=(?P<result>[^">]+).*</head>'
2011-01-15 18:56:11 +03:00
# Regular expression used for parsing refresh info from meta html headers
2012-12-03 15:13:59 +04:00
META_REFRESH_REGEX = r'(?si)<head>.*<meta http-equiv="?refresh"?[^>]+content="?[^">]+url=(?P<result>[^">]+).*</head>'
2011-03-29 16:08:07 +04:00
# Regular expression used for parsing empty fields in tested form data
2012-10-19 13:02:14 +04:00
EMPTY_FORM_FIELDS_REGEX = r'(&|\A)(?P<result>[^=]+=(&|\Z))'
# Reference: http://www.cs.ru.nl/bachelorscripties/2010/Martin_Devillers___0437999___Analyzing_password_strength.pdf
2011-11-21 00:14:47 +04:00
COMMON_PASSWORD_SUFFIXES = ("1", "123", "2", "12", "3", "13", "7", "11", "5", "22", "23", "01", "4", "07", "21", "14", "10", "06", "08", "8", "15", "69", "16", "6", "18")
2011-01-15 18:56:11 +03:00
# Reference: http://www.the-interweb.com/serendipity/index.php?/archives/94-A-brief-analysis-of-40,000-leaked-MySpace-passwords.html
2013-01-10 16:18:44 +04:00
COMMON_PASSWORD_SUFFIXES += ("!", ".", "*", "!!", "?", ";", "..", "!!!", ", ", "@")
2011-01-20 19:07:08 +03:00
# Splitter used between requests in WebScarab log files
WEBSCARAB_SPLITTER = "### Conversation"
# Splitter used between requests in BURP log files
2012-04-11 02:20:53 +04:00
BURP_REQUEST_REGEX = r"={10,}\s+[^=]+={10,}\s(.+?)\s={10,}"
2011-01-30 14:36:03 +03:00
# Encoding used for Unicode data
UNICODE_ENCODING = "utf8"
2011-01-31 15:41:39 +03:00
# Reference: http://www.w3.org/Protocols/HTTP/Object_Headers.html#uri
URI_HTTP_HEADER = "URI"
# Uri format which could be injectable (e.g. www.site.com/id82)
2012-01-06 04:06:38 +04:00
URI_INJECTABLE_REGEX = r"//[^/]*/([^\.*?]+)\Z"
2011-02-02 13:10:28 +03:00
2011-02-02 17:25:16 +03:00
# Regex used for masking sensitive data
SENSITIVE_DATA_REGEX = "(\s|=)(?P<result>[^\s=]*%s[^\s]*)\s"
2011-02-02 17:25:16 +03:00
2011-02-02 13:10:28 +03:00
# Maximum number of threads (avoiding connection issues and/or DoS)
MAX_NUMBER_OF_THREADS = 10
2011-02-03 19:59:49 +03:00
# Minimum range between minimum and maximum of statistical set
MIN_STATISTICAL_RANGE = 0.01
2011-02-04 02:25:56 +03:00
# Minimum value for comparison ratio
MIN_RATIO = 0.0
# Maximum value for comparison ratio
MAX_RATIO = 1.0
2011-02-04 15:25:14 +03:00
2012-04-17 12:41:19 +04:00
# Character used for marking injectable position inside provided data
CUSTOM_INJECTION_MARK_CHAR = '*'
2011-02-04 20:40:55 +03:00
2012-11-28 14:41:39 +04:00
# Other way to declare injection position
INJECT_HERE_MARK = '%INJECT HERE%'
2011-02-04 20:40:55 +03:00
# Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings
MYSQL_ERROR_CHUNK_LENGTH = 50
2011-02-07 01:32:44 +03:00
# Maximum length used for retrieving data over MSSQL error based payload due to trimming problems with longer result strings
MSSQL_ERROR_CHUNK_LENGTH = 100
2013-01-18 18:40:37 +04:00
# Do not escape the injected statement if it contains any of the following SQL keywords
EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", "'%s'" % CHAR_INFERENCE_MARK)
# Mark used for replacement of reflected values
REFLECTED_VALUE_MARKER = "__REFLECTED_VALUE__"
# Regular expression used for replacing border non-alphanum characters
REFLECTED_BORDER_REGEX = r"[^A-Za-z]+"
# Regular expression used for replacing non-alphanum characters
REFLECTED_REPLACEMENT_REGEX = r".+?"
2011-07-13 03:21:15 +04:00
# Maximum number of alpha-numerical parts in reflected regex (for speed purposes)
REFLECTED_MAX_REGEX_PARTS = 10
# Chars which can be used as a failsafe values in case of too long URL encoding value
URLENCODE_FAILSAFE_CHARS = "()|,"
# Maximum length of URL encoded value after which failsafe procedure takes away
2011-04-11 02:57:17 +04:00
URLENCODE_CHAR_LIMIT = 2000
2011-03-27 11:58:15 +04:00
# Default schema for Microsoft SQL Server DBMS
DEFAULT_MSSQL_SCHEMA = "dbo"
2011-03-29 16:08:07 +04:00
# Display hash attack info every mod number of items
HASH_MOD_ITEM_DISPLAY = 11
# Maximum integer value
MAX_INT = sys.maxint
2013-04-10 21:33:31 +04:00
# Options that need to be restored in multiple targets run mode
RESTORE_MERGED_OPTIONS = ("col", "db", "dnsName", "privEsc", "tbl", "regexp", "string", "textOnly", "threads", "timeSec", "tmpPath", "uChar", "user")
2011-04-14 16:58:03 +04:00
# Parameters to be ignored in detection phase (upper case)
2012-09-06 15:36:34 +04:00
IGNORE_PARAMETERS = ("__VIEWSTATE", "__VIEWSTATEENCRYPTED", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION", "ASPSESSIONID", "ASP.NET_SESSIONID", "JSESSIONID", "CFID", "CFTOKEN")
2012-10-19 13:02:14 +04:00
# Regular expression used for recognition of ASP.NET control parameters
ASP_NET_CONTROL_REGEX = r"(?i)\Actl\d+\$"
# Turn off resume console info to avoid potential slowdowns
TURN_OFF_RESUME_INFO_LIMIT = 20
# Strftime format for results file used in multiple target mode
RESULTS_FILE_FORMAT = "results-%m%d%Y_%I%M%p.csv"
2011-05-18 03:03:31 +04:00
# Official web page with the list of Python supported codecs
CODECS_LIST_PAGE = "http://docs.python.org/library/codecs.html#standard-encodings"
# Simple regular expression used to distinguish scalar from multiple-row commands (not sole condition)
SQL_SCALAR_REGEX = r"\A(SELECT(?!\s+DISTINCT\(?))?\s*\w*\("
# IP address of the localhost
LOCALHOST = "127.0.0.1"
2011-11-24 01:39:53 +04:00
# Default port used by Tor
DEFAULT_TOR_SOCKS_PORT = 9050
# Default ports used in Tor proxy bundles
DEFAULT_TOR_HTTP_PORTS = (8123, 8118)
# Percentage below which comparison engine could have problems
LOW_TEXT_PERCENT = 20
# These MySQL keywords can't go (alone) into versioned comment form (/*!...*/)
# Reference: http://dev.mysql.com/doc/refman/5.1/en/function-resolution.html
IGNORE_SPACE_AFFECTED_KEYWORDS = ("CAST", "COUNT", "EXTRACT", "GROUP_CONCAT", "MAX", "MID", "MIN", "SESSION_USER", "SUBSTR", "SUBSTRING", "SUM", "SYSTEM_USER", "TRIM")
2012-07-17 01:50:29 +04:00
LEGAL_DISCLAIMER = "Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
2011-05-30 13:46:32 +04:00
# After this number of misses reflective removal mechanism is turned off (for speed up reasons)
REFLECTIVE_MISS_THRESHOLD = 20
# Regular expression used for extracting HTML title
HTML_TITLE_REGEX = "<title>(?P<result>[^<]+)</title>"
2011-06-18 02:04:25 +04:00
# Table used for Base64 conversion in WordPress hash cracking routine
ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
2011-06-18 02:04:25 +04:00
# Chars used to quickly distinguish if the user provided tainted parameter values
DUMMY_SQL_INJECTION_CHARS = ";()'"
2011-06-21 02:41:38 +04:00
# Simple check against dummy users
DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]"
2011-06-21 02:41:38 +04:00
# Extensions skipped by crawler
2013-01-10 16:18:44 +04:00
CRAWL_EXCLUDE_EXTENSIONS = ("gif", "jpg", "jar", "tif", "bmp", "war", "ear", "mpg", "wmv", "mpeg", "scm", "iso", "dmp", "dll", "cab", "so", "avi", "bin", "exe", "iso", "tar", "png", "pdf", "ps", "mp3", "zip", "rar", "gz")
2013-02-14 19:18:16 +04:00
# Patterns often seen in HTTP headers containing custom injection marking character
PROBLEMATIC_CUSTOM_INJECTION_PATTERNS = r"(\bq=[^;']+)|(\*/\*)"
# Template used for common table existence check
BRUTE_TABLE_EXISTS_TEMPLATE = "EXISTS(SELECT %d FROM %s)"
# Template used for common column existence check
BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)"
# Payload used for checking of existence of IDS/WAF (dummier the better)
IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1"
# Vectors used for provoking specific WAF/IDS/IPS behavior(s)
WAF_ATTACK_VECTORS = (
2013-02-26 18:54:50 +04:00
"", # NIL
"search=<script>alert(1)</script>",
"file=../../../../etc/passwd",
"q=<invalid>foobar",
"id=1 %s" % IDS_WAF_CHECK_PAYLOAD
)
# Used for status representation in dictionary attack phase
ROTATING_CHARS = ('\\', '|', '|', '/', '-')
# Chunk length (in items) used by BigArray objects (only last chunk and cached one are held in memory)
2011-07-26 00:17:44 +04:00
BIGARRAY_CHUNK_LENGTH = 4096
# Only console display last n table rows
2011-10-26 18:31:00 +04:00
TRIM_STDOUT_DUMP_SIZE = 256
2011-11-22 16:18:24 +04:00
# Parse response headers only first couple of times
PARSE_HEADERS_LIMIT = 3
# Step used in ORDER BY technique used for finding the right number of columns in UNION query injections
ORDER_BY_STEP = 10
# Maximum number of times for revalidation of a character in time-based injections
MAX_TIME_REVALIDATION_STEPS = 5
2011-08-29 17:08:25 +04:00
# Characters that can be used to split parameter values in provided command line (e.g. in --tamper)
PARAMETER_SPLITTING_REGEX = r'[,|;]'
2011-10-10 01:21:41 +04:00
# Regular expression describing possible union char value (e.g. used in --union-char)
UNION_CHAR_REGEX = r'\A\w+\Z'
# Attribute used for storing original parameter value in special cases (e.g. POST)
UNENCODED_ORIGINAL_VALUE = 'original'
# Common column names containing usernames (used for hash cracking in some cases)
2011-11-22 01:31:08 +04:00
COMMON_USER_COLUMNS = ('user', 'username', 'user_name', 'benutzername', 'benutzer', 'utilisateur', 'usager', 'consommateur', 'utente', 'utilizzatore', 'usufrutuario', 'korisnik', 'usuario', 'consumidor')
# Default delimiter in GET/POST values
DEFAULT_GET_POST_DELIMITER = '&'
# Default delimiter in cookie values
2011-11-22 14:54:29 +04:00
DEFAULT_COOKIE_DELIMITER = ';'
2013-04-15 13:49:11 +04:00
# Unix timestamp used for forcing cookie expiration when provided with --load-cookies
FORCE_COOKIE_EXPIRATION_TIME = "9999999999"
2011-11-22 14:54:29 +04:00
# Skip unforced HashDB flush requests below the threshold number of cached items
2011-11-22 15:04:43 +04:00
HASHDB_FLUSH_THRESHOLD = 32
2011-12-23 00:14:56 +04:00
2012-09-25 13:21:39 +04:00
# Number of retries for unsuccessful HashDB flush attempts
HASHDB_FLUSH_RETRIES = 3
# Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
2012-06-18 01:23:12 +04:00
HASHDB_MILESTONE_VALUE = "cAWxkLYCQT" # r5129 "".join(random.sample(string.letters, 10))
2011-12-23 00:14:56 +04:00
# Warn user of possible delay due to large page dump in full UNION query injections
2013-01-10 16:18:44 +04:00
LARGE_OUTPUT_THRESHOLD = 1024 ** 2
2011-12-23 00:42:57 +04:00
# On huge tables there is a considerable slowdown if every row retrieval requires ORDER BY (most noticable in table dumping using ERROR injections)
SLOW_ORDER_COUNT_THRESHOLD = 10000
2011-12-23 00:54:20 +04:00
# Give up on hash recognition if nothing was found in first given number of rows
HASH_RECOGNITION_QUIT_THRESHOLD = 10000
2011-12-28 19:59:30 +04:00
2012-03-15 15:10:58 +04:00
# Maximum number of redirections to any single URL - this is needed because of the state that cookies introduce
MAX_SINGLE_URL_REDIRECTIONS = 4
# Maximum total number of redirections (regardless of URL) - before assuming we're in a loop
MAX_TOTAL_REDIRECTIONS = 10
# Reference: http://www.tcpipguide.com/free/t_DNSLabelsNamesandSyntaxRules.htm
MAX_DNS_LABEL = 63
2012-07-01 03:19:54 +04:00
# Alphabet used for prefix and suffix strings of name resolution requests in DNS technique (excluding hexadecimal chars for not mixing with inner content)
DNS_BOUNDARIES_ALPHABET = re.sub("[a-fA-F]", "", string.letters)
2012-10-28 03:42:08 +04:00
# Alphabet used for heuristic checks
HEURISTIC_CHECK_ALPHABET = ('"', '\'', ')', '(', '[', ']', ',', '.')
# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections)
MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024
2012-08-07 02:50:58 +04:00
# Maximum response total page size (trimmed if larger)
MAX_CONNECTION_TOTAL_SIZE = 100 * 1024 * 1024
# Mark used for trimming unnecessary content in large chunks
LARGE_CHUNK_TRIM_MARKER = "__TRIMMED_CONTENT__"
# Generic SQL comment formation
GENERIC_SQL_COMMENT = "-- "
# Threshold value for turning back on time auto-adjustment mechanism
VALID_TIME_CHARS_RUN_THRESHOLD = 100
# Check for empty columns only if table is sufficiently large
CHECK_ZERO_COLUMNS_THRESHOLD = 10
# Boldify all logger messages containing these "patterns"
2013-02-01 20:24:04 +04:00
BOLD_PATTERNS = ("' injectable", "might be injectable", "' is vulnerable", "is not injectable", "test failed", "test passed", "live test final result", "test shows that")
2012-07-13 13:23:21 +04:00
# Generic www root directory names
2013-04-29 12:50:04 +04:00
GENERIC_DOC_ROOT_DIRECTORY_NAMES = ("htdocs", "httpdocs", "public", "wwwroot", "www")
2012-07-24 17:43:29 +04:00
# Maximum length of a help part containing switch/option name(s)
MAX_HELP_OPTION_LENGTH = 18
2013-03-04 21:05:40 +04:00
# Maximum number of connection retries (to prevent problems with recursion)
MAX_CONNECT_RETRIES = 100
# Strings for detecting formatting errors
FORMAT_EXCEPTION_STRINGS = ("Type mismatch", "Error converting", "Failed to convert", "System.FormatException", "java.lang.NumberFormatException")
2012-09-06 16:13:54 +04:00
2012-10-19 13:02:14 +04:00
# Regular expression used for extracting ASP.NET view state values
2012-10-29 13:48:49 +04:00
VIEWSTATE_REGEX = r'(?i)(?P<name>__VIEWSTATE[^"]*)[^>]+value="(?P<result>[^"]+)'
2012-10-19 13:02:14 +04:00
# Regular expression used for extracting ASP.NET event validation values
2012-10-29 13:48:49 +04:00
EVENTVALIDATION_REGEX = r'(?i)(?P<name>__EVENTVALIDATION[^"]*)[^>]+value="(?P<result>[^"]+)'
2012-09-06 17:51:38 +04:00
# Number of rows to generate inside the full union test for limited output (mustn't be too large to prevent payload length problems)
LIMITED_ROWS_TEST_NUMBER = 15
2012-10-02 16:23:58 +04:00
# Format used for representing invalid unicode characters
INVALID_UNICODE_CHAR_FORMAT = r"\?%02x"
2012-10-04 20:26:07 +04:00
# Regular expression for SOAP-like POST data
SOAP_RECOGNITION_REGEX = r"(?s)\A(<\?xml[^>]+>)?\s*<([^> ]+)( [^>]+)?>.+</\2.*>\s*\Z"
2012-10-04 13:43:37 +04:00
2012-10-16 14:32:58 +04:00
# Regular expression used for detecting JSON-like POST data
2012-10-04 13:43:37 +04:00
JSON_RECOGNITION_REGEX = r'(?s)\A\s*\{.*"[^"]+"\s*:\s*("[^"]+"|\d+).*\}\s*\Z'
2012-10-04 13:25:44 +04:00
2012-10-16 14:32:58 +04:00
# Regular expression used for detecting multipart POST data
MULTIPART_RECOGNITION_REGEX = r"(?i)Content-Disposition:[^;]+;\s*name="
2012-10-04 13:25:44 +04:00
# Default POST data content-type
DEFAULT_CONTENT_TYPE = "application/x-www-form-urlencoded; charset=utf-8"
# Raw text POST data content-type
PLAIN_TEXT_CONTENT_TYPE = "text/plain; charset=utf-8"
2012-10-25 15:21:32 +04:00
2013-01-16 05:31:03 +04:00
# Length used while checking for existence of Suhosin-patch (like) protection mechanism
SUHOSIN_MAX_VALUE_LENGTH = 512
2012-10-29 17:08:48 +04:00
2013-01-17 14:37:45 +04:00
# Minimum size of an (binary) entry before it can be considered for dumping to disk
MIN_BINARY_DISK_DUMP_SIZE = 100
2012-10-29 17:08:48 +04:00
# Regular expression used for extracting form tags
FORM_SEARCH_REGEX = r"(?si)<form(?!.+<form).+?</form>"
2013-01-18 14:00:21 +04:00
# Minimum field entry length needed for encoded content (hex, base64,...) check
MIN_ENCODED_LEN_CHECK = 5
2013-02-08 19:28:58 +04:00
# Timeout in seconds in which Metasploit remote session has to be initialized
2013-02-14 13:18:40 +04:00
METASPLOIT_SESSION_TIMEOUT = 180
2013-02-12 15:42:12 +04:00
# Reference: http://www.cookiecentral.com/faq/#3.5
NETSCAPE_FORMAT_HEADER_COOKIES = "# Netscape HTTP Cookie File."
2013-05-09 16:26:29 +04:00
# Prefixes used in brute force search for web server document root
BRUTE_DOC_ROOT_PREFIXES = {
OS.LINUX: ("/var/www", "/var/www/%TARGET%", "/var/www/vhosts/%TARGET%", "/var/www/virtual/%TARGET%", "/var/www/clients/vhosts/%TARGET%", "/var/www/clients/virtual/%TARGET%"),
OS.WINDOWS: ("/xampp", "/Program Files/xampp/", "/wamp", "/Program Files/wampp/", "/Inetpub/wwwroot", "/Inetpub/wwwroot/%TARGET%", "/Inetpub/vhosts/%TARGET%")
}
# Suffixes used in brute force search for web server document root
BRUTE_DOC_ROOT_SUFFIXES = ("", "html", "htdocs", "httpdocs", "php", "public", "src", "site", "build", "web", "sites/all", "www/build")
# String used for marking target name inside used brute force web server document root
BRUTE_DOC_ROOT_TARGET_MARK = "%TARGET%"
# CSS style used in HTML dump format
HTML_DUMP_CSS_STYLE = """<style>
table{
2012-11-29 18:36:38 +04:00
margin:10;
background-color:#FFFFFF;
font-family:verdana;
font-size:12px;
align:center;
}
thead{
font-weight:bold;
background-color:#4F81BD;
color:#FFFFFF;
}
tr:nth-child(even) {
background-color: #D3DFEE
}
td{
2012-11-29 18:36:38 +04:00
font-size:10px;
}
</style>"""