sqlmap/lib/controller/checks.py

753 lines
28 KiB
Python
Raw Normal View History

2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
2008-10-15 19:56:32 +04:00
$Id$
2008-10-15 19:38:22 +04:00
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
2008-10-15 19:38:22 +04:00
"""
import re
2010-05-21 17:36:49 +04:00
import socket
2008-10-15 19:38:22 +04:00
import time
from difflib import SequenceMatcher
2008-10-15 19:38:22 +04:00
from lib.core.agent import agent
2010-10-25 23:16:42 +04:00
from lib.core.common import beep
2010-12-06 18:50:19 +03:00
from lib.core.common import extractRegexResult
2010-06-02 16:45:40 +04:00
from lib.core.common import getUnicode
2010-12-04 18:47:02 +03:00
from lib.core.common import popValue
from lib.core.common import pushValue
2008-10-15 19:38:22 +04:00
from lib.core.common import randomInt
from lib.core.common import randomStr
2010-10-11 15:47:07 +04:00
from lib.core.common import readInput
2010-12-04 13:13:18 +03:00
from lib.core.common import removeDynamicContent
from lib.core.common import showStaticWords
2010-11-29 18:14:49 +03:00
from lib.core.common import trimAlphaNum
from lib.core.common import wasLastRequestDBMSError
2010-09-13 17:31:01 +04:00
from lib.core.common import DynamicContentItem
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
2010-10-07 02:29:52 +04:00
from lib.core.data import paths
from lib.core.datatype import advancedDict
from lib.core.datatype import injectionDict
2010-11-08 12:49:57 +03:00
from lib.core.enums import HTTPMETHOD
from lib.core.enums import NULLCONNECTION
from lib.core.enums import PAYLOAD
from lib.core.enums import PLACE
2008-10-15 19:38:22 +04:00
from lib.core.exception import sqlmapConnectionException
2010-11-07 03:12:00 +03:00
from lib.core.exception import sqlmapGenericException
2010-02-10 12:39:36 +03:00
from lib.core.exception import sqlmapNoneDataException
2010-11-10 22:44:51 +03:00
from lib.core.exception import sqlmapSiteTooDynamic
2010-10-11 15:47:07 +04:00
from lib.core.exception import sqlmapUserQuitException
2008-10-15 19:38:22 +04:00
from lib.core.session import setString
from lib.core.session import setRegexp
2010-12-09 19:49:02 +03:00
from lib.core.unescaper import unescaper
2008-10-15 19:38:22 +04:00
from lib.request.connect import Connect as Request
from lib.request.templates import getPageTemplate
def unescape(string, dbms):
if dbms in unescaper and "WAITFOR DELAY " not in string:
return unescaper[dbms](string)
else:
return string
def unescapeDbms(payload, injection, dbms):
# If this is a DBMS-specific test (dbms), sqlmap identified the
# DBMS during previous a test (injection.dbms) or the user
# provided a DBMS (conf.dbms), unescape the strings between single
# quotes in the payload
if injection.dbms is not None:
payload = unescape(payload, injection.dbms)
elif dbms is not None:
payload = unescape(payload, dbms)
elif conf.dbms is not None:
payload = unescape(payload, conf.dbms)
return payload
def checkSqlInjection(place, parameter, value):
# Store here the details about boundaries and payload used to
# successfully inject
injection = injectionDict()
2010-12-04 18:47:02 +03:00
# Clear cookies after each query page attempt
2010-12-07 16:34:06 +03:00
kb.testMode = True
2010-12-04 18:47:02 +03:00
for test in conf.tests:
title = test.title
stype = test.stype
clause = test.clause
# Skip test if the user's wants to test only for a specific
# technique
2010-12-09 17:06:43 +03:00
if conf.technique and isinstance(conf.technique, int) and stype != conf.technique:
debugMsg = "skipping test '%s' because the user " % title
debugMsg += "specified to test only for "
debugMsg += "%s" % PAYLOAD.SQLINJECTION[conf.technique]
logger.debug(debugMsg)
continue
# Skip test if the risk is higher than the provided (or default)
# value
# Parse test's <risk>
if test.risk > conf.risk:
debugMsg = "skipping test '%s' because the risk " % title
debugMsg += "is higher than the provided"
logger.debug(debugMsg)
continue
2008-10-15 19:38:22 +04:00
# Skip test if the level is higher than the provided (or default)
# value
# Parse test's <level>
if test.level > conf.level:
debugMsg = "skipping test '%s' because the level " % title
debugMsg += "is higher than the provided"
logger.debug(debugMsg)
continue
# Skip DBMS-specific test if it does not match either the
# previously identified or the user's provided DBMS
if "details" in test and "dbms" in test.details:
dbms = test.details.dbms
else:
dbms = None
if dbms is not None:
if injection.dbms is not None and injection.dbms != dbms:
debugMsg = "skipping test '%s' because " % title
debugMsg += "the back-end DBMS identified is "
debugMsg += "%s" % injection.dbms
logger.debug(debugMsg)
2008-10-15 19:38:22 +04:00
continue
if conf.dbms is not None and conf.dbms.lower() != dbms.lower():
debugMsg = "skipping test '%s' because " % title
debugMsg += "the provided DBMS is %s" % conf.dbms
logger.debug(debugMsg)
continue
2010-10-07 02:43:04 +04:00
2010-12-01 12:17:17 +03:00
# Skip test if it is the same SQL injection type already
# identified by another test
if injection.data and stype in injection.data:
debugMsg = "skipping test '%s' because " % title
debugMsg += "the payload for %s has " % PAYLOAD.SQLINJECTION[stype]
debugMsg += "already been identified"
logger.debug(debugMsg)
continue
# Skip test if it does not match the same SQL injection clause
# already identified by another test
clauseMatch = False
for clauseTest in clause:
if injection.clause is not None and clauseTest in injection.clause:
clauseMatch = True
break
2010-12-09 02:09:42 +03:00
if clause != [ 0 ] and injection.clause and injection.clause != [ 0 ] and not clauseMatch:
debugMsg = "skipping test '%s' because the clauses " % title
debugMsg += "differs from the clause already identified"
logger.debug(debugMsg)
continue
infoMsg = "testing '%s'" % title
2010-10-07 02:43:04 +04:00
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
# Parse test's <request>
comment = agent.getComment(test.request)
fstPayload = agent.cleanupPayload(test.request.payload, value)
fstPayload = unescapeDbms(fstPayload, injection, dbms)
fstPayload = "%s%s" % (fstPayload, comment)
2010-12-07 20:17:38 +03:00
if stype != 4 and clause != [2, 3] and clause != [ 3 ]:
space = " "
else:
space = ""
if conf.prefix is not None and conf.suffix is not None:
# Create a custom boundary object for user's supplied prefix
# and suffix
boundary = advancedDict()
boundary.level = 1
boundary.clause = [ 0 ]
boundary.where = [ 1, 2, 3 ]
boundary.prefix = conf.prefix
boundary.suffix = conf.suffix
2010-11-29 18:09:40 +03:00
if " like" in boundary.suffix.lower():
if "'" in boundary.suffix.lower():
boundary.ptype = 3
elif '"' in boundary.suffix.lower():
boundary.ptype = 5
2010-12-06 18:50:19 +03:00
elif "'" in boundary.suffix:
boundary.ptype = 2
2010-12-06 18:50:19 +03:00
elif '"' in boundary.suffix:
boundary.ptype = 4
else:
boundary.ptype = 1
# Prepend user's provided boundaries to all others boundaries
conf.boundaries.insert(0, boundary)
for boundary in conf.boundaries:
injectable = False
# Skip boundary if the level is higher than the provided (or
# default) value
# Parse boundary's <level>
if boundary.level > conf.level:
# NOTE: shall we report every single skipped boundary too?
continue
# Skip boundary if it does not match against test's <clause>
# Parse test's <clause> and boundary's <clause>
clauseMatch = False
for clauseTest in test.clause:
if clauseTest in boundary.clause:
clauseMatch = True
break
if test.clause != [ 0 ] and boundary.clause != [ 0 ] and not clauseMatch:
continue
# Skip boundary if it does not match against test's <where>
# Parse test's <where> and boundary's <where>
whereMatch = False
for where in test.where:
if where in boundary.where:
whereMatch = True
break
if not whereMatch:
continue
# Parse boundary's <prefix>, <suffix> and <ptype>
prefix = boundary.prefix if boundary.prefix else ""
suffix = boundary.suffix if boundary.suffix else ""
ptype = boundary.ptype
# If the previous injections succeeded, we know which prefix,
# suffix and parameter type to use for further tests, no
# need to cycle through the boundaries for the following tests
condBound = (injection.prefix is not None and injection.suffix is not None)
condBound &= (injection.prefix != prefix or injection.suffix != suffix)
condType = injection.ptype is not None and injection.ptype != ptype
if condBound or condType:
continue
# For each test's <where>
for where in test.where:
templatePayload = None
# Threat the parameter original value according to the
# test's <where> tag
if where == 1:
origValue = value
elif where == 2:
origValue = "-%s" % randomInt()
# Use different page template than the original one
2010-12-05 14:15:09 +03:00
# as we are changing parameters value, which will result
# most definitely with a different content
templatePayload = agent.payload(place, parameter, value, origValue)
elif where == 3:
origValue = ""
kb.pageTemplate = getPageTemplate(templatePayload, place)
# Forge request payload by prepending with boundary's
# prefix and appending the boundary's suffix to the
# test's ' <payload><comment> ' string
boundPayload = "%s%s%s%s %s" % (origValue, prefix, space, fstPayload, suffix)
boundPayload = boundPayload.strip()
boundPayload = agent.cleanupPayload(boundPayload, value)
reqPayload = agent.payload(place, parameter, value, boundPayload)
# Perform the test's request and check whether or not the
# payload was successful
# Parse test's <response>
for method, check in test.response.items():
check = agent.cleanupPayload(check, value)
# In case of boolean-based blind SQL injection
2010-12-06 18:50:19 +03:00
if method == PAYLOAD.METHOD.COMPARISON:
sndPayload = agent.cleanupPayload(test.response.comparison, value)
sndPayload = unescapeDbms(sndPayload, injection, dbms)
sndPayload = "%s%s" % (sndPayload, comment)
# Forge response payload by prepending with
# boundary's prefix and appending the boundary's
# suffix to the test's ' <payload><comment> '
# string
boundPayload = "%s%s%s%s %s" % (origValue, prefix, space, sndPayload, suffix)
boundPayload = boundPayload.strip()
boundPayload = agent.cleanupPayload(boundPayload, value)
cmpPayload = agent.payload(place, parameter, value, boundPayload)
2010-12-18 12:51:34 +03:00
# Useful to set kb.matchRatio at first based on
# the False response content
2010-12-18 12:51:34 +03:00
kb.matchRatio = None
_ = Request.queryPage(cmpPayload, place)
2010-12-09 03:26:06 +03:00
# Perform the test's True request
trueResult = Request.queryPage(reqPayload, place)
if trueResult:
falseResult = Request.queryPage(cmpPayload, place)
2010-12-09 03:26:06 +03:00
# Perform the test's False request
if not falseResult:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
# In case of error-based or UNION query SQL injections
2010-12-06 18:50:19 +03:00
elif method == PAYLOAD.METHOD.GREP:
# Perform the test's request and grep the response
# body for the test's <grep> regular expression
reqBody, _ = Request.queryPage(reqPayload, place, content=True)
2010-12-06 18:50:19 +03:00
output = extractRegexResult(check, reqBody, re.DOTALL | re.IGNORECASE)
if output:
2010-12-07 01:40:07 +03:00
result = output.replace(kb.misc.space, " ") == "1"
2010-12-06 21:44:42 +03:00
if result:
2010-12-06 18:50:19 +03:00
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
2010-12-06 18:50:19 +03:00
injectable = True
# In case of time-based blind or stacked queries
# SQL injections
elif method == PAYLOAD.METHOD.TIME:
# Store old value of socket timeout
pushValue(socket.getdefaulttimeout())
# Set socket timeout to 2 minutes as some
# time based checks can take awhile
socket.setdefaulttimeout(120)
# Perform the test's request
2010-12-08 14:26:54 +03:00
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True)
if trueResult:
# Confirm test's results
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True)
if trueResult:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
logger.info(infoMsg)
injectable = True
# Restore value of socket timeout
socket.setdefaulttimeout(popValue())
# If the injection test was successful feed the injection
# object with the test's details
if injectable is True:
# Feed with the boundaries details only the first time a
# test has been successful
if injection.place is None or injection.parameter is None:
if place == PLACE.UA:
injection.parameter = conf.agent
else:
injection.parameter = parameter
injection.place = place
injection.ptype = ptype
injection.prefix = prefix
injection.suffix = suffix
injection.clause = clause
2010-12-03 17:45:13 +03:00
if "vector" in test and test.vector is not None:
vector = "%s%s" % (test.vector, comment)
else:
2010-12-03 17:45:13 +03:00
vector = None
# Feed with test details every time a test is successful
injection.data[stype] = advancedDict()
injection.data[stype].title = title
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False)
injection.data[stype].where = where
2010-12-03 17:45:13 +03:00
injection.data[stype].vector = vector
injection.data[stype].comment = comment
2010-12-18 12:51:34 +03:00
injection.data[stype].matchRatio = kb.matchRatio
injection.data[stype].templatePayload = templatePayload
if hasattr(test, "details"):
for detailKey, detailValue in test.details.items():
if detailKey == "dbms" and injection.dbms is None:
injection.dbms = detailValue
kb.dbms = detailValue
elif detailKey == "dbms_version" and injection.dbms_version is None:
injection.dbms_version = detailValue
kb.dbmsVersion = [ detailValue ]
elif detailKey == "os" and injection.os is None:
injection.os = detailValue
if conf.beep:
beep()
# There is no need to perform this test for other
# <where> tags
break
2008-10-15 19:38:22 +04:00
if injectable is True:
# There is no need to perform this test with others
# boundaries
break
2010-12-04 18:47:02 +03:00
# Flush the flag
2010-12-07 16:34:06 +03:00
kb.testMode = False
2010-12-04 18:47:02 +03:00
# Return the injection object
if injection.place is not None and injection.parameter is not None:
return injection
else:
return None
2008-10-15 19:38:22 +04:00
2010-10-11 16:26:35 +04:00
def heuristicCheckSqlInjection(place, parameter, value):
if kb.nullConnection:
debugMsg = "heuristic checking skipped "
debugMsg += "because NULL connection used"
logger.debug(debugMsg)
return
2010-10-11 16:26:35 +04:00
prefix = ""
suffix = ""
2010-10-11 16:26:35 +04:00
if conf.prefix or conf.suffix:
2010-10-11 16:26:35 +04:00
if conf.prefix:
prefix = conf.prefix
if conf.suffix:
suffix = conf.suffix
2010-10-11 16:26:35 +04:00
payload = "%s%s%s%s" % (value, prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), suffix)
2010-10-27 12:27:31 +04:00
payload = agent.payload(place, parameter, value, payload)
2010-11-04 00:51:36 +03:00
Request.queryPage(payload, place, raise404=False)
result = wasLastRequestDBMSError()
2010-10-16 19:10:48 +04:00
infoMsg = "heuristic test shows that %s " % place
2010-11-16 13:52:49 +03:00
infoMsg += "parameter '%s' might " % parameter
2010-10-16 19:10:48 +04:00
2010-10-11 16:26:35 +04:00
if result:
2010-11-16 13:52:49 +03:00
infoMsg += "be injectable (possible DBMS: %s)" % (kb.htmlFp[-1] if kb.htmlFp else 'Unknown')
2010-10-11 16:26:35 +04:00
logger.info(infoMsg)
else:
2010-11-16 13:52:49 +03:00
infoMsg += "not be injectable"
2010-12-08 17:46:07 +03:00
logger.warn(infoMsg)
2010-10-11 16:26:35 +04:00
2008-10-15 19:38:22 +04:00
def checkDynParam(place, parameter, value):
"""
This function checks if the url parameter is dynamic. If it is
dynamic, the content of the page differs, otherwise the
dynamicity might depend on another parameter.
"""
2010-12-18 12:51:34 +03:00
kb.matchRatio = None
2010-11-10 01:44:23 +03:00
infoMsg = "testing if %s parameter '%s' is dynamic" % (place, parameter)
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
randInt = randomInt()
2010-06-02 16:45:40 +04:00
payload = agent.payload(place, parameter, value, getUnicode(randInt))
dynResult = Request.queryPage(payload, place)
2008-10-15 19:38:22 +04:00
if True == dynResult:
2008-10-15 19:38:22 +04:00
return False
infoMsg = "confirming that %s parameter '%s' is dynamic" % (place, parameter)
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
randInt = randomInt()
payload = agent.payload(place, parameter, value, getUnicode(randInt))
dynResult = Request.queryPage(payload, place)
2008-10-15 19:38:22 +04:00
return not dynResult
2008-10-15 19:38:22 +04:00
def checkDynamicContent(firstPage, secondPage):
"""
This function checks if the provided pages have dynamic content. If they
are dynamic, proper markings will be made.
"""
2010-11-04 12:18:32 +03:00
2010-11-04 00:51:36 +03:00
if kb.nullConnection:
2010-11-04 12:18:32 +03:00
debugMsg = "dynamic content checking skipped "
debugMsg += "because NULL connection used"
logger.debug(debugMsg)
2010-11-04 00:51:36 +03:00
return
2010-10-16 19:10:48 +04:00
if conf.longestCommon:
debugMsg = "dynamic content checking skipped "
debugMsg += "because longest common comparison used"
logger.debug(debugMsg)
return
2010-09-13 19:19:47 +04:00
infoMsg = "searching for dynamic content"
2010-09-13 17:31:01 +04:00
logger.info(infoMsg)
blocks = SequenceMatcher(None, firstPage, secondPage).get_matching_blocks()
kb.dynamicMarkings = []
2010-10-07 02:29:52 +04:00
# Removing too small matching blocks
i = 0
while i < len(blocks):
block = blocks[i]
(_, _, length) = block
2010-10-25 23:45:53 +04:00
if length <= conf.dynMarkLength:
blocks.remove(block)
2010-10-25 23:45:53 +04:00
else:
i += 1
# Making of dynamic markings based on prefix/suffix principle
if len(blocks) > 0:
blocks.insert(0, None)
blocks.append(None)
2010-10-25 23:45:53 +04:00
for i in xrange(len(blocks) - 1):
prefix = firstPage[blocks[i][0]:blocks[i][0] + blocks[i][2]] if blocks[i] else None
suffix = firstPage[blocks[i + 1][0]:blocks[i + 1][0] + blocks[i + 1][2]] if blocks[i + 1] else None
2010-10-25 23:45:53 +04:00
if prefix is None and blocks[i + 1][0] == 0:
continue
2010-10-25 23:45:53 +04:00
if suffix is None and (blocks[i][0] + blocks[i][2] >= len(firstPage)):
continue
2010-10-25 23:45:53 +04:00
2010-11-29 18:14:49 +03:00
prefix = trimAlphaNum(prefix)
suffix = trimAlphaNum(suffix)
2010-11-29 17:30:57 +03:00
kb.dynamicMarkings.append((re.escape(prefix[-conf.dynMarkLength/2:]) if prefix else None, re.escape(suffix[:conf.dynMarkLength/2]) if suffix else None))
if len(kb.dynamicMarkings) > 0:
infoMsg = "dynamic content marked for removal (%d region%s)" % (len(kb.dynamicMarkings), 's' if len(kb.dynamicMarkings) > 1 else '')
2010-09-13 17:31:01 +04:00
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
def checkStability():
"""
This function checks if the URL content is stable requesting the
2010-09-13 19:19:47 +04:00
same page two times with a small delay within each request to
2008-10-15 19:38:22 +04:00
assume that it is stable.
In case the content of the page differs when requesting
the same page, the dynamicity might depend on other parameters,
like for instance string matching (--string).
"""
infoMsg = "testing if the url is stable, wait a few seconds"
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
firstPage = kb.originalPage # set inside checkConnection()
time.sleep(1)
secondPage, _ = Request.queryPage(content=True)
2008-10-15 19:38:22 +04:00
2010-10-25 17:52:21 +04:00
kb.pageStable = (firstPage == secondPage)
2010-10-25 17:52:21 +04:00
if kb.pageStable:
if firstPage:
logMsg = "url is stable"
logger.info(logMsg)
else:
errMsg = "there was an error checking the stability of page "
errMsg += "because of lack of content. please check the "
errMsg += "page request results (and probable errors) by "
errMsg += "using higher verbosity levels"
raise sqlmapNoneDataException, errMsg
2010-10-25 17:52:21 +04:00
else:
warnMsg = "url is not stable, sqlmap will base the page "
2010-10-16 19:10:48 +04:00
warnMsg += "comparison on a sequence matcher. If no dynamic nor "
warnMsg += "injectable parameters are detected, or in case of "
warnMsg += "junk results, refer to user's manual paragraph "
warnMsg += "'Page comparison' and provide a string or regular "
warnMsg += "expression to match on"
logger.warn(warnMsg)
2008-10-15 19:38:22 +04:00
message = "how do you want to proceed? [C(ontinue)/s(tring)/r(egex)/q(uit)] "
test = readInput(message, default="C")
2010-10-16 19:10:48 +04:00
if test and test[0] in ("q", "Q"):
raise sqlmapUserQuitException
2010-10-16 19:10:48 +04:00
elif test and test[0] in ("s", "S"):
showStaticWords(firstPage, secondPage)
2010-10-16 19:10:48 +04:00
message = "please enter value for parameter 'string': "
test = readInput(message)
2010-10-16 19:10:48 +04:00
if test:
conf.string = test
2010-11-04 12:18:32 +03:00
if kb.nullConnection:
debugMsg = "turning off NULL connection "
debugMsg += "support because of string checking"
logger.debug(debugMsg)
kb.nullConnection = None
else:
2010-11-10 22:44:51 +03:00
errMsg = "Empty value supplied"
raise sqlmapNoneDataException, errMsg
2010-10-16 19:10:48 +04:00
elif test and test[0] in ("r", "R"):
message = "please enter value for parameter 'regex': "
test = readInput(message)
2010-10-16 19:10:48 +04:00
if test:
conf.regex = test
2010-11-04 12:18:32 +03:00
if kb.nullConnection:
debugMsg = "turning off NULL connection "
debugMsg += "support because of regex checking"
logger.debug(debugMsg)
kb.nullConnection = None
else:
2010-11-10 22:44:51 +03:00
errMsg = "Empty value supplied"
raise sqlmapNoneDataException, errMsg
else:
checkDynamicContent(firstPage, secondPage)
2010-09-13 17:31:01 +04:00
count = 0
while not Request.queryPage():
count += 1
if count > conf.retries:
errMsg = "target url is too dynamic. unable to continue. "
errMsg += "consider using other switches (e.g. "
errMsg += "--longest-common, --string, --text-only, etc.)"
raise sqlmapSiteTooDynamic, errMsg
warnMsg = "target url is heavily dynamic"
warnMsg += ", sqlmap is going to retry the request"
logger.critical(warnMsg)
2010-11-29 18:25:45 +03:00
secondPage, _ = Request.queryPage(content=True)
checkDynamicContent(firstPage, secondPage)
2010-10-25 17:52:21 +04:00
return kb.pageStable
2010-03-12 15:23:05 +03:00
2008-10-15 19:38:22 +04:00
def checkString():
if not conf.string:
return True
condition = (
kb.resumedQueries.has_key(conf.url) and
kb.resumedQueries[conf.url].has_key("String") and
kb.resumedQueries[conf.url]["String"][:-1] == conf.string
)
if condition:
return True
infoMsg = "testing if the provided string is within the "
infoMsg += "target URL page content"
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
page, _ = Request.queryPage(content=True)
2008-10-15 19:38:22 +04:00
if conf.string in page:
setString()
else:
warnMsg = "you provided '%s' as the string to " % conf.string
warnMsg += "match, but such a string is not within the target "
warnMsg += "URL page content original request, sqlmap will "
warnMsg += "keep going anyway"
logger.warn(warnMsg)
2008-10-15 19:38:22 +04:00
return True
2008-10-15 19:38:22 +04:00
def checkRegexp():
if not conf.regexp:
return True
condition = (
kb.resumedQueries.has_key(conf.url) and
kb.resumedQueries[conf.url].has_key("Regular expression") and
kb.resumedQueries[conf.url]["Regular expression"][:-1] == conf.regexp
)
if condition:
return True
infoMsg = "testing if the provided regular expression matches within "
infoMsg += "the target URL page content"
logger.info(infoMsg)
page, _ = Request.queryPage(content=True)
if re.search(conf.regexp, page, re.I | re.M):
setRegexp()
else:
warnMsg = "you provided '%s' as the regular expression to " % conf.regexp
warnMsg += "match, but such a regular expression does not have any "
warnMsg += "match within the target URL page content, sqlmap "
warnMsg += "will keep going anyway"
logger.warn(warnMsg)
return True
2010-09-16 12:43:10 +04:00
def checkNullConnection():
2010-10-15 15:17:17 +04:00
"""
Reference: http://www.wisec.it/sectou.php?id=472f952d79293
"""
2010-09-16 12:43:10 +04:00
infoMsg = "testing NULL connection to the target url"
logger.info(infoMsg)
try:
2010-11-08 12:49:57 +03:00
page, headers = Request.getPage(method=HTTPMETHOD.HEAD)
2010-12-06 18:50:19 +03:00
2010-09-16 12:43:10 +04:00
if not page and 'Content-Length' in headers:
2010-11-08 12:49:57 +03:00
kb.nullConnection = NULLCONNECTION.HEAD
2010-10-15 16:46:41 +04:00
infoMsg = "NULL connection is supported with HEAD header"
logger.info(infoMsg)
2010-09-16 12:43:10 +04:00
else:
2010-11-08 16:26:45 +03:00
page, headers = Request.getPage(auxHeaders={"Range": "bytes=-1"})
2010-12-06 18:50:19 +03:00
2010-09-16 12:43:10 +04:00
if page and len(page) == 1 and 'Content-Range' in headers:
2010-11-08 12:49:57 +03:00
kb.nullConnection = NULLCONNECTION.RANGE
2010-09-16 12:43:10 +04:00
2010-10-15 16:46:41 +04:00
infoMsg = "NULL connection is supported with GET header "
infoMsg += "'%s'" % kb.nullConnection
logger.info(infoMsg)
2010-12-06 18:50:19 +03:00
2010-09-16 12:43:10 +04:00
except sqlmapConnectionException, errMsg:
errMsg = getUnicode(errMsg)
raise sqlmapConnectionException, errMsg
return kb.nullConnection is not None
2010-11-15 15:19:22 +03:00
def checkConnection(suppressOutput=False):
2010-05-21 17:36:49 +04:00
try:
socket.gethostbyname(conf.hostname)
except socket.gaierror:
2010-05-21 18:25:38 +04:00
errMsg = "host '%s' does not exist" % conf.hostname
2010-05-21 17:36:49 +04:00
raise sqlmapConnectionException, errMsg
2010-11-15 15:19:22 +03:00
if not suppressOutput:
infoMsg = "testing connection to the target url"
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
try:
2010-11-08 02:25:53 +03:00
page, _ = Request.queryPage(content=True)
kb.originalPage = kb.pageTemplate = page
except sqlmapConnectionException, errMsg:
2010-06-02 16:45:40 +04:00
errMsg = getUnicode(errMsg)
raise sqlmapConnectionException, errMsg
2008-10-15 19:38:22 +04:00
return True